SlideShare ist ein Scribd-Unternehmen logo

Risk Assessment Framework

Als PPTX, PDF herunterladen
J
Jhurt7103

Risk Assessment Framework

1 von 40
Integrated Risk Assessment A Proposal
A Proposal for an Integrated Risk Assessment Process Risk is the threat than an event or action may adversely affect the business and prevent it from successfully achieving its objectives. A strong risk assessment process is: Robust, but transparent and easily explainable. Sufficiently detailed to identify key risks at the activity level. Specific enough to reduce subjectivity in the assignment of risk and control ratings. Applicable to all business processes and allows comparison of risks between processes and businesses. Based on the framework components of COSO. Reliant on Six Sigma tools.
Process Progression
Risk and Frequency Matrix A component of the risk assessment process used to assess the risk of the process universe at a relatively high level, determine the cycle of quality control activities and to validate allocation of resources. A consistent method for assessing risk of the process universe. The starting point for linkage between business unit quality control activities, Internal Audit and Enterprise Risk. A model is completed for each department within the Company Each model is reviewed and approved by the line of business. Models should be updated at least annually.
Risk and Frequency Matrix
Risk and Frequency Matrix
Risk Profile AnalysisAssessment of Inherent Risk and Business Specific Risks Strategic Risk New products, lines of business. Significant growth. Relocation of resources. Significant Company initiatives. Reputation Confidentiality/Privacy concerns Impact to the customer Reputation risk/Regulatory Public Relations/Marketing External Influences Industry conditions/market trends Competition Social/Political/Environmental National economy. Processing Complexity Volume Major process changes Degree of manual processes Geographic (multiple locations) Multiple systems Reliance on vendors Compliance How intensive is regulation? Increasing or decreasing? Regulators and rating agencies Financial and operational impact of regulatory issues.
Risk Profile Analysis – Technology Strategic Alignment/Management Importance Core activity Business unit activity Local system Continuity Consider: Business continuity planning, disaster recovery, manual procedures and age/stability of systems. Materiality/Complexity Consider: Budget, revenues generated, resources consumed, transaction volume, number of users, centralized or decentralized, number of interfaces. System and Process Change Consider: Number an nature of changes, level of formality of procedures.
Risk Profile Analysis – Technology(Continued) Project Management Consider: In house versus outside, personnel skills, project timelines, quality and formality of documentation and process. System Compliance Full compliance with EIS standards? System Information Content Ranges from no customer information to significant customer information. System Access Internal Access External access to employees, customers, vendors.
Risk Profile Analysis Credit Risk Size of credit portfolio Mix between higher and lower risk categories Trends in uncollected balances Financial Impact Annual revenues Significance to the Company Information provided in Company financials (e.g. 10-K, 10-Q) Business unit subject to SOX testing Market Risk Size of the portfolio Volatility of the portfolio Effectiveness of models Trading volumes
Control AssessmentFor Use With Risk & Frequency Matrix People Quality of management and staff. Effectiveness of training programs. Effects of turnover. Corporate Governance & Risk Management Quality of management reporting. Monitoring of vendor activities. Following industry best practices. Quality of internal risk assessment database documentation and SOX documentation. Process Quality of policies and procedures. Quality of tracking of key metrics. Level of customer complaints. Any issues identified.
Control AssessmentFor Use With Risk & Frequency Matrix Technology Security of data. Management’s concern over administering technology controls. System change controls. Audit & External Results Timing of last internal audit and significance of findings. Management’s willingness to address findings. All findings cleared. Significant findings by the external auditors. Significance of SOX findings.
Risk & Frequency Matrix The rating for each process for each risk factor has specific criteria. For example: Compliance risk: The risk that the business could fail to comply with regulations, accounting standards, policies and laws. Ratings 1 – The business is not directly responsible for compliance with regulations, accounting standards and laws. 3 – The business unit is responsible for compliance with regulations, accounting standards and laws, however their nature is not complex. Penalty for non-compliance is not material. 9 – The business unit has direct and formal responsibility for compliance with complex or high profile regulations, standards and/or laws. Penalties for non-compliance are material.
Risk & Frequency Matrix Similarly, the rating for each process for each control factor has specific criteria: Technology: The adequacy of controls over technology used. Ratings 1 – System failures have not occurred or have not had material impact. Controls are in place to monitor system activity. 3 – The business unit’s systems have undergone recent changes resulting in failures, but of immaterial impact. System development and change management controls are in place and functioning. 9 – The business unit’s systems have experienced material failures during the past year AND/OR there are no system development or change management controls in place OR controls are in place that are inadequate.
Cause & Effect Matrix Provides a structured approach to determine process functions’ relationship with key risk drivers from risk and frequency matrix. Assists with formulating theories about causes and effects. Targets key processes and prioritizes items for further analysis. Breaks processes into activities or functions. A process may have a high correlation with a particular risk factor, but it may be that only one or two activities within that process contribute to the risk. Balances risk and reward.
Cause & Effect Matrix
Cause & Effect Matrix
Failure Mode and Effects Analysis A systematic way to identify potential weaknesses in a process. Helps evaluate and prioritize/rank potential failures of a process in order to prevent them from occurring. Identifies areas that are over controlled. Sets a standard for each risk and control that is comparable across processes and businesses.
Failure Mode and Effects Analysis
Failure Mode and Effects AnalysisKey Points Each risk may have multiple failure modes. Each failure mode may have multiple effects. Severity does not incorporate volume or frequency. The same effect may have a different severity depending on the failure mode. The occurrence rating combines the likelihood for the cause, failure and effect together. Detection rules of thumb: Preventive = 1 Detective = 2 or 3 Reactive = 4 or 5
Failure Mode and Effects AnalysisKey Points Risk Documentation Good: Single root cause driving the risk. Brief and concise. Worded as a possibility, not a certainty. Risks are not certain. Bad: Compound risk, absence of controls or failed controls presented as a risk. Effects written as risks. The risk is not that the lock on the tiger’s cage might fail. Rather, the risk is that the tiger will get out of the cage and injure someone. Control Documentation Good: Single, brief, concise sentence. Answers the questions: Who? What? When? And How? Bad: Mega Controls, controls written as proposed controls, controls owned by a different business, undefined acronyms.
Control Types & Sub-TypesPreventive Controls Policies and Procedures Formally documented: Written, approved and accessible. Partially documented. Informally documented: Defined through informal documents such as emails or meeting minutes. Not documented: Activities driven only by common understanding. Approval Authority Formally documented: Written, approved and accessible. Partially documented. Informally documented. Not documented. Policies must be well understood and practiced. Due Diligence Product: Investigation of the fit of a product or service to expected attributes, features and characteristics. Vendor: Investigation of financial health and prior performance. Training Classroom. Video. Computer-based (CBT) Web-based (WBT) Independent Study On the Job A valid training control must have well defined content, a specific time and a specific audience.
Control Types & Sub-TypesPreventive Controls – Control Activities Control activities are preventive controls that ensure a given risk is mitigated. Control activities are designed to prevent a risk from occurring in all Transactions handled through a business process or system. They help ensure that necessary actions are taken to address the risks that may hinder the achievement of the entity’s objectives. Control activities occur throughout the organization, at all levels and in all functions. Control activities can be system based or non-system. Non-System: Controls that require human intervention to prevent the documented risk from occurring: Segregation of duties. Activities within a process are assigned to different individuals building checks and balances to prevent fraud and/or detect other errors. Physical controls: Safeguard procedures or physical inspections that prevent risk. Checklists/Questionnaires: Standard documents that must be filled out and signed. System: IT-based procedures and routines designed to prevent risk.
Control Types & Sub-TypesDetective Management Reports Periodic and timely. Key compliance issues and risks, mitigation actions and monitoring results are reported. Deployed to appropriate levels of management. Regulatory and Third Party Reports Accurate, complete and timely. Risk & Compliance tools. Risk maps and other dashboard type tools. Aggregate and analyze information. Certifications Confirm employees have read and understand policies. Confirm compliance with policies. Reconciliations Ongoing activities built into recurring operating activities. Performed by line or support managers. Assessed and documented daily, weekly, monthly, quarterly or annually as appropriate. Reviews A “second or fresh look” performed from time to time by business management. Scope and frequency are based on risk exposure and robustness of ongoing monitoring activities. Assessed and documented.
Inherent Risk Rating The Inherent Risk Rating is broken down into four key components: Strategic Alignment Company Alignment Nature (Complexity) of Activity Materiality This risk rating approach involves the scoring of each risk across these four components. These scores are then summed and an inherent risk rating is identified according to the Rating Scale below for input in the Risk and Control database. This approach is intended to reduce subjectivity in assigning ratings.
Risk Rating Scale Score 1 to 4 5 to 8 9 to 12 13 to 16 17 to 20 Inherent Risk Rating Low Risk – 1 Marginal – 2 Moderate – 3 Considerable – 4 High Risk - 5
Inherent Risk RatingComponent #1 Strategic Alignment – Range of 1 (Operations Support) to 5 (Strategic Objective Support); Consider whether activity is directly linked to achieving a strategic objective or supports business daily operations. Activity supports normal course of business operational functions. Activity enables activities that are indirectly aligned with a strategic objective. Activity enables activities that are directly aligned with a strategic objective. Activity indirectly aligned with the achievement of a strategic objective. Activity directly aligned with the achievement of a strategic objective.
Inherent Risk RatingComponent #2 Company Alignment – Range of 1 (local) to 5 (Company); Consider to what extent a specific activity impacts the Company. Task based activity Local process activity Business Unit activity that provides output that moves upstream to a business unit process. Core organizational activity that provides output that moves upstream to an organizational process. Core Company activity that provides output that moves upstream to a corporate process.
Inherent Risk RatingComponent #3 Nature (Complexity) of Activity – Range of 1 (Simple) to 5 (Complex); consider transaction volume, number of steps/parties/hand-offs, internal versus external resource reliance. Basic activity and risk. This activity maintains a minimal number of steps/hand offs and is completed within a single department. Resources are sufficient. Mostly typical and/or traditional nature of the activity and risk. This activity maintains a manageable number of steps/hand offs and is completed within a single department. Resources are adequate. Moderately complex activity and risk. This activity maintains an abundant number of steps/hand offs. Adequacy of resources is questionable. Complex activity and risk. This activity maintains a multitude of steps/hand offs and crosses two or more departments. Resources appear inadequate. Very complex activity and risk. Execution of this activity requires an excessive number of steps/hand offs and crosses several departments. Resources are insufficient.
Inherent Risk RatingComponent #4 Materiality – Range of 1 (Immaterial) to 5 (Severe); consider business unit budget, revenues generated, expenses, assets at risk. If this risk was to occur, the loss could be absorbed by the organization in the normal course of business. The impact on earnings, capital and reputation would be immaterial. Financial exposure value less than $50,000. If this risk was to occur, the loss for the most part could be absorbed. Financial exposure value less than $5,000,000. If this risk was to occur, the loss to some extent could be absorbed in the normal course of business. The impact would be noticeable. Financial exposure value greater than $5,000,000 and less than $50,000,000. If this risk was to occur, the loss could not be absorbed by the organization in the normal course of business. Negative impact would be material (greater than $50,000,000 and less than $250,000,000. If this risk was to occur, the loss could not be absorbed in the normal course of business. The impact would be severe (greater than $250,000,000).
Risk Probability The risk probability ( or occurrence rating) should also be assessed based on the expected occurrence of the root cause (trigger event) in a pre-control environment. Improbable – The probability of exposure to this risk is remote. Failure is unlikely. This risk may only occur in rare or exceptional circumstances. Doubtful - The probability of exposure to this risk is unlikely. Relatively few failures are expected. There is a slight possibility that the risk could occur. Moderate – The probability of exposure to this risk is moderate. Occasional failures are expected. There is a possibility this may occur at some time. Possible - The probability of exposure to this risk is likely. Repeated failures are expected. There is a strong possibility this risk will occur in most circumstances. Probable - The probability of exposure to this risk is very high. Failure is almost inevitable. This risk is likely to occur in most circumstances.
Risk Direction This component is utilized to evaluate the exposure trend to a given risk within the next 12 months. It should be assessed on a pre-control basis. Up – Changes in volume of transactions and/or other internal or external developments are expected to increase the Inherent Risk Rating and/or the Risk Probability within the next 12 months. Level - Changes in volume of transactions and/or other internal or external developments are not expected to change the Inherent Risk Rating or the Risk Probability within the next 12 months. Down – Changes in volume of transactions and/or other internal or external developments are expected to decrease the Inherent Risk Rating and/or the Risk Probability within the next 12 months.
Control Detection Rating The Control Detection rating is used to assess the ability of a group of controls currently in place to (in aggregate) detect a control failure prior to the effect impacting the product or being felt by the customer. The assessment of the control detection rating should not consider proposed controls. The following guidelines are the suggested thought process for assessing the control detection rating, which is broken into four key components. Automation vs. Manual Type of Control Policies and Procedures Scalability This approach involves the scoring of controls across these four components. Scores are then summed. This methodology is intended to reduce subjectivity in assigning ratings.
Control Rating ScaleA Lower Number is Better Score 1 to 4 5 to 8 9 to 12 13 to 16 17 to 20 Control Rating Effective – 1 Monitor – 2 Needs Improvement – 3 Impaired – 4 Unsatisfactory - 5
Control Detection RatingComponent #1 Automation vs. Manual – Range of 1 (Fully Automated) to 5 (Manual); Consider extent of automation versus manual controls in business processes and testing of controls for assurance they are operating as designed. Primary controls are fully automated without requiring human intervention and are tested on an automated, ongoing basis. Primary controls are semi automated with minimal human intervention and touch points and are regularly tested based on a formally established schedule and procedures. Primary controls are semi automated with moderate human intervention and multiple touch points within and outside the department. They are periodically tested based on informal procedures. Primary controls are manual.Testing is ad hoc, perhaps after failures. Primary controls are manual. They are not tested.
Control Detection RatingComponent #2 Type of Control – Range of 1 (Preventive) to 5 (No Current Controls); Consider the type of controls currently in place. Preventive: Controls are directed at preventing risks from occurring. Minimizing: Controls are directed at minimizing major risk exposures. Reporting: Controls are directed at reporting potential risk exposures. Detective: Controls are directed at addressing exposures resulting from a risk occurrence. No Current Controls: There are no controls in place to manage risk.
Control Detection RatingComponent #3 Policies and Procedures – Range of 1 (Formal) to 5 (Nonexistent); Consider the extent to which policies and procedures are documented, communicated and accessible. Policies and procedures are formally documented, communicated, readily accessible and are reviewed and updated on an ongoing basis. Sign off is attained. Policies and procedures are formally documented, communicated, accessible on request and are reviewed and updated on a periodic basis. Sign off is not attained. Policies and procedures are partially documented, informally communicated, access is restricted and are infrequently reviewed and updated. Sign off is not attained. Policies and procedures are informally documented, communicated, access is restricted and they are not updated. Sign off is not attained. Policies and procedures are not documented.
Control Detection RatingComponent #4 Scalability– Range of 1 (Flexible) to 5 (Not Flexible); Consider the scalability of personnel and/or systems to changes in work flow and activity. Personnel and/or systems are flexible to adjust to changes in work flow. Personnel and/or systems are flexible to adjust to changes in work flow with minimal lead time (<= 30 days). Personnel and/or systems are partially flexible with moderate lead time (> 30 days and <=60 days) Personnel and/or systems possess minimal flexibility to adjust (>60 days) Personnel and/or systems are not flexible to adjust to changes.
Effective Controls Controls rated 1 – Effective and 2 – Monitor are considered acceptable levels of control quality. The main difference between a 1-Effective and a 2-Monitor control structure is that, in addition to its preventive nature, the former is also capable of identifying and adapting to changes in the environment and business processes. This capability is achieved through the adoption of robust monitoring controls in addition to sound and efficient preventive controls. Therefore, control structures rated 1-Effective must be comprised of at least two robust controls (one of preventive and the other of monitoring in nature). Control structures rated 1-Effective are expected to be optimal structures; hence, there should be no need to improve it.
Controls That Need Improvement The control detection rating should be an honest assessment. Sometimes, managers acknowledge that the quality of controls in place is below desirable levels, but several factors may prevent them from implementing immediate improvements. On these occasions, managers must assess the control detection rating according to the quality of the controls currently in place (3 – Needs Improvement or lower), and document their efforts to improve quality of the control structure by recording proposed controls in the Risk and Control database. These proposed controls should be sufficient to improve the control detection rating to a 2-Monitor or a 1-Effective rating once they are implemented.

Empfohlen

Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalManoj Agarwal
 
Use Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal AuditUse Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal AuditManoj Agarwal
 
6 benefits of internal auditing
6 benefits of internal auditing6 benefits of internal auditing
6 benefits of internal auditingSALIH AHMED ISLAM
 
Risk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachRisk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachn|u - The Open Security Community
 
Information Risk Management - Cyber Risk Management - IT Risks
Information Risk Management - Cyber Risk Management - IT RisksInformation Risk Management - Cyber Risk Management - IT Risks
Information Risk Management - Cyber Risk Management - IT RisksHernan Huwyler, MBA CPA
 
Internal audit ratings guide
Internal audit ratings guideInternal audit ratings guide
Internal audit ratings guideCenapSerdarolu
 
Risk Based Audit Approach
Risk Based Audit ApproachRisk Based Audit Approach
Risk Based Audit ApproachSALIH AHMED ISLAM
 
Internal controls myths and best practices
Internal controls myths and best practicesInternal controls myths and best practices
Internal controls myths and best practicesPamela Mantone
 

Empfohlen

Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalManoj Agarwal
 
Use Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal AuditUse Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal AuditManoj Agarwal
 
6 benefits of internal auditing
6 benefits of internal auditing6 benefits of internal auditing
6 benefits of internal auditingSALIH AHMED ISLAM
 
Risk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachRisk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachn|u - The Open Security Community
 
Information Risk Management - Cyber Risk Management - IT Risks
Information Risk Management - Cyber Risk Management - IT RisksInformation Risk Management - Cyber Risk Management - IT Risks
Information Risk Management - Cyber Risk Management - IT RisksHernan Huwyler, MBA CPA
 
Internal audit ratings guide
Internal audit ratings guideInternal audit ratings guide
Internal audit ratings guideCenapSerdarolu
 
Risk Based Audit Approach
Risk Based Audit ApproachRisk Based Audit Approach
Risk Based Audit ApproachSALIH AHMED ISLAM
 
Internal controls myths and best practices
Internal controls myths and best practicesInternal controls myths and best practices
Internal controls myths and best practicesPamela Mantone
 
ERM Benchmarking Survey Results
ERM Benchmarking Survey ResultsERM Benchmarking Survey Results
ERM Benchmarking Survey ResultsResolver Inc.
 
Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002SARVJEET KAUSHAL
 
Bankauditin it env
Bankauditin it envBankauditin it env
Bankauditin it envDr Vijay Pithadia Director
 
Coso erm
Coso ermCoso erm
Coso ermluisrobles_cl
 
Internal Control COSO
Internal Control COSOInternal Control COSO
Internal Control COSOJesús Gándara
 
Regulatory Risk
Regulatory RiskRegulatory Risk
Regulatory Risknikatmalik
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditorsminkhollow
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-PracticesMarco Raposo
 
Qpr 8 Risk Management And Compliance Solution
Qpr 8 Risk Management And Compliance SolutionQpr 8 Risk Management And Compliance Solution
Qpr 8 Risk Management And Compliance SolutionIycon India
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Donald E. Hester
 
Control self assessment (csa)
Control self assessment (csa)Control self assessment (csa)
Control self assessment (csa)Idear S. Wanichkul
 
Risk assessment facilitation guide
Risk assessment facilitation guideRisk assessment facilitation guide
Risk assessment facilitation guideCenapSerdarolu
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guideCenapSerdarolu
 
Performance measures guide
Performance measures guidePerformance measures guide
Performance measures guideCenapSerdarolu
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesVulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesSlideTeam
 
Enterprise risk management summary approach guide
Enterprise risk management summary approach guideEnterprise risk management summary approach guide
Enterprise risk management summary approach guideCenapSerdarolu
 
Root cause analysis questionnaire
Root cause analysis questionnaireRoot cause analysis questionnaire
Root cause analysis questionnaireAstalapulosListestos
 
Rm 11
Rm 11Rm 11
Rm 11tomkacy
 
Audit ratings guide
Audit ratings guideAudit ratings guide
Audit ratings guideCenapSerdarolu
 
2. Risk Management.pptx
2. Risk Management.pptx2. Risk Management.pptx
2. Risk Management.pptxSitiKholifatulRizkia1
 
Presentation_20110802213554
Presentation_20110802213554Presentation_20110802213554
Presentation_20110802213554P Karlin Panggalo.SE.MM.Ak.CA.CFA.CCM
 

Weitere ähnliche Inhalte

Was ist angesagt?

ERM Benchmarking Survey Results
ERM Benchmarking Survey ResultsERM Benchmarking Survey Results
ERM Benchmarking Survey ResultsResolver Inc.
 
Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002SARVJEET KAUSHAL
 
Regulatory Risk
Regulatory RiskRegulatory Risk
Regulatory Risknikatmalik
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditorsminkhollow
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-PracticesMarco Raposo
 
Qpr 8 Risk Management And Compliance Solution
Qpr 8 Risk Management And Compliance SolutionQpr 8 Risk Management And Compliance Solution
Qpr 8 Risk Management And Compliance SolutionIycon India
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Donald E. Hester
 
Risk assessment facilitation guide
Risk assessment facilitation guideRisk assessment facilitation guide
Risk assessment facilitation guideCenapSerdarolu
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guideCenapSerdarolu
 
Performance measures guide
Performance measures guidePerformance measures guide
Performance measures guideCenapSerdarolu
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesVulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesSlideTeam
 
Enterprise risk management summary approach guide
Enterprise risk management summary approach guideEnterprise risk management summary approach guide
Enterprise risk management summary approach guideCenapSerdarolu
 

Was ist angesagt? (20)

ERM Benchmarking Survey Results
ERM Benchmarking Survey ResultsERM Benchmarking Survey Results
ERM Benchmarking Survey Results
 
Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002
 
Bankauditin it env
Bankauditin it envBankauditin it env
Bankauditin it env
 
Coso erm
Coso ermCoso erm
Coso erm
 
Internal Control COSO
Internal Control COSOInternal Control COSO
Internal Control COSO
 
Regulatory Risk
Regulatory RiskRegulatory Risk
Regulatory Risk
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditors
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information System
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-Practices
 
Qpr 8 Risk Management And Compliance Solution
Qpr 8 Risk Management And Compliance SolutionQpr 8 Risk Management And Compliance Solution
Qpr 8 Risk Management And Compliance Solution
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010
 
Control self assessment (csa)
Control self assessment (csa)Control self assessment (csa)
Control self assessment (csa)
 
Risk assessment facilitation guide
Risk assessment facilitation guideRisk assessment facilitation guide
Risk assessment facilitation guide
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guide
 
Performance measures guide
Performance measures guidePerformance measures guide
Performance measures guide
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesVulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation Slides
 
Enterprise risk management summary approach guide
Enterprise risk management summary approach guideEnterprise risk management summary approach guide
Enterprise risk management summary approach guide
 
Root cause analysis questionnaire
Root cause analysis questionnaireRoot cause analysis questionnaire
Root cause analysis questionnaire
 
Rm 11
Rm 11Rm 11
Rm 11
 
Audit ratings guide
Audit ratings guideAudit ratings guide
Audit ratings guide
 

Ähnlich wie Risk Assessment Framework

Cyber metrics for KPIs and KRIs to measure risks and highlight trends
Cyber metrics for KPIs and KRIs to measure risks and highlight trendsCyber metrics for KPIs and KRIs to measure risks and highlight trends
Cyber metrics for KPIs and KRIs to measure risks and highlight trendsSkillweed
 
Process Level Auditing Presentation
Process Level Auditing PresentationProcess Level Auditing Presentation
Process Level Auditing PresentationVernon Benjamin
 
Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk ConsultingPrashant Jain
 
Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)deeptica
 
CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard Jim Robins
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Eneni Oduwole
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
Process Maturity Assessment
Process Maturity AssessmentProcess Maturity Assessment
Process Maturity Assessmentpchronis
 
Chapter 11Organizational ControlOrganizati.docx
Chapter 11Organizational ControlOrganizati.docxChapter 11Organizational ControlOrganizati.docx
Chapter 11Organizational ControlOrganizati.docxcravennichole326
 

Ähnlich wie Risk Assessment Framework (20)

2. Risk Management.pptx
2. Risk Management.pptx2. Risk Management.pptx
2. Risk Management.pptx
 
Presentation_20110802213554
Presentation_20110802213554Presentation_20110802213554
Presentation_20110802213554
 
Cyber metrics for KPIs and KRIs to measure risks and highlight trends
Cyber metrics for KPIs and KRIs to measure risks and highlight trendsCyber metrics for KPIs and KRIs to measure risks and highlight trends
Cyber metrics for KPIs and KRIs to measure risks and highlight trends
 
Risk Management Training
Risk Management TrainingRisk Management Training
Risk Management Training
 
It62015 slides
It62015 slidesIt62015 slides
It62015 slides
 
Internal audit
Internal auditInternal audit
Internal audit
 
Erm talking points
Erm talking pointsErm talking points
Erm talking points
 
Process Level Auditing Presentation
Process Level Auditing PresentationProcess Level Auditing Presentation
Process Level Auditing Presentation
 
Monitoring
MonitoringMonitoring
Monitoring
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
 
Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk Consulting
 
Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)
 
CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
 
IA PRESENTATION-4.pptx
IA PRESENTATION-4.pptxIA PRESENTATION-4.pptx
IA PRESENTATION-4.pptx
 
Process Maturity Assessment
Process Maturity AssessmentProcess Maturity Assessment
Process Maturity Assessment
 
Chapter 11Organizational ControlOrganizati.docx
Chapter 11Organizational ControlOrganizati.docxChapter 11Organizational ControlOrganizati.docx
Chapter 11Organizational ControlOrganizati.docx
 
Hazards and risk management
Hazards and risk managementHazards and risk management
Hazards and risk management
 

Risk Assessment Framework

  • 2. A Proposal for an Integrated Risk Assessment Process Risk is the threat than an event or action may adversely affect the business and prevent it from successfully achieving its objectives. A strong risk assessment process is: Robust, but transparent and easily explainable. Sufficiently detailed to identify key risks at the activity level. Specific enough to reduce subjectivity in the assignment of risk and control ratings. Applicable to all business processes and allows comparison of risks between processes and businesses. Based on the framework components of COSO. Reliant on Six Sigma tools.
  • 4. Risk and Frequency Matrix A component of the risk assessment process used to assess the risk of the process universe at a relatively high level, determine the cycle of quality control activities and to validate allocation of resources. A consistent method for assessing risk of the process universe. The starting point for linkage between business unit quality control activities, Internal Audit and Enterprise Risk. A model is completed for each department within the Company Each model is reviewed and approved by the line of business. Models should be updated at least annually.
  • 7. Risk Profile AnalysisAssessment of Inherent Risk and Business Specific Risks Strategic Risk New products, lines of business. Significant growth. Relocation of resources. Significant Company initiatives. Reputation Confidentiality/Privacy concerns Impact to the customer Reputation risk/Regulatory Public Relations/Marketing External Influences Industry conditions/market trends Competition Social/Political/Environmental National economy. Processing Complexity Volume Major process changes Degree of manual processes Geographic (multiple locations) Multiple systems Reliance on vendors Compliance How intensive is regulation? Increasing or decreasing? Regulators and rating agencies Financial and operational impact of regulatory issues.
  • 8. Risk Profile Analysis – Technology Strategic Alignment/Management Importance Core activity Business unit activity Local system Continuity Consider: Business continuity planning, disaster recovery, manual procedures and age/stability of systems. Materiality/Complexity Consider: Budget, revenues generated, resources consumed, transaction volume, number of users, centralized or decentralized, number of interfaces. System and Process Change Consider: Number an nature of changes, level of formality of procedures.
  • 9. Risk Profile Analysis – Technology(Continued) Project Management Consider: In house versus outside, personnel skills, project timelines, quality and formality of documentation and process. System Compliance Full compliance with EIS standards? System Information Content Ranges from no customer information to significant customer information. System Access Internal Access External access to employees, customers, vendors.
  • 10. Risk Profile Analysis Credit Risk Size of credit portfolio Mix between higher and lower risk categories Trends in uncollected balances Financial Impact Annual revenues Significance to the Company Information provided in Company financials (e.g. 10-K, 10-Q) Business unit subject to SOX testing Market Risk Size of the portfolio Volatility of the portfolio Effectiveness of models Trading volumes
  • 11. Control AssessmentFor Use With Risk & Frequency Matrix People Quality of management and staff. Effectiveness of training programs. Effects of turnover. Corporate Governance & Risk Management Quality of management reporting. Monitoring of vendor activities. Following industry best practices. Quality of internal risk assessment database documentation and SOX documentation. Process Quality of policies and procedures. Quality of tracking of key metrics. Level of customer complaints. Any issues identified.
  • 12. Control AssessmentFor Use With Risk & Frequency Matrix Technology Security of data. Management’s concern over administering technology controls. System change controls. Audit & External Results Timing of last internal audit and significance of findings. Management’s willingness to address findings. All findings cleared. Significant findings by the external auditors. Significance of SOX findings.
  • 13. Risk & Frequency Matrix The rating for each process for each risk factor has specific criteria. For example: Compliance risk: The risk that the business could fail to comply with regulations, accounting standards, policies and laws. Ratings 1 – The business is not directly responsible for compliance with regulations, accounting standards and laws. 3 – The business unit is responsible for compliance with regulations, accounting standards and laws, however their nature is not complex. Penalty for non-compliance is not material. 9 – The business unit has direct and formal responsibility for compliance with complex or high profile regulations, standards and/or laws. Penalties for non-compliance are material.
  • 14. Risk & Frequency Matrix Similarly, the rating for each process for each control factor has specific criteria: Technology: The adequacy of controls over technology used. Ratings 1 – System failures have not occurred or have not had material impact. Controls are in place to monitor system activity. 3 – The business unit’s systems have undergone recent changes resulting in failures, but of immaterial impact. System development and change management controls are in place and functioning. 9 – The business unit’s systems have experienced material failures during the past year AND/OR there are no system development or change management controls in place OR controls are in place that are inadequate.
  • 15. Cause & Effect Matrix Provides a structured approach to determine process functions’ relationship with key risk drivers from risk and frequency matrix. Assists with formulating theories about causes and effects. Targets key processes and prioritizes items for further analysis. Breaks processes into activities or functions. A process may have a high correlation with a particular risk factor, but it may be that only one or two activities within that process contribute to the risk. Balances risk and reward.
  • 16. Cause & Effect Matrix
  • 17. Cause & Effect Matrix
  • 18. Failure Mode and Effects Analysis A systematic way to identify potential weaknesses in a process. Helps evaluate and prioritize/rank potential failures of a process in order to prevent them from occurring. Identifies areas that are over controlled. Sets a standard for each risk and control that is comparable across processes and businesses.
  • 19. Failure Mode and Effects Analysis
  • 20. Failure Mode and Effects AnalysisKey Points Each risk may have multiple failure modes. Each failure mode may have multiple effects. Severity does not incorporate volume or frequency. The same effect may have a different severity depending on the failure mode. The occurrence rating combines the likelihood for the cause, failure and effect together. Detection rules of thumb: Preventive = 1 Detective = 2 or 3 Reactive = 4 or 5
  • 21. Failure Mode and Effects AnalysisKey Points Risk Documentation Good: Single root cause driving the risk. Brief and concise. Worded as a possibility, not a certainty. Risks are not certain. Bad: Compound risk, absence of controls or failed controls presented as a risk. Effects written as risks. The risk is not that the lock on the tiger’s cage might fail. Rather, the risk is that the tiger will get out of the cage and injure someone. Control Documentation Good: Single, brief, concise sentence. Answers the questions: Who? What? When? And How? Bad: Mega Controls, controls written as proposed controls, controls owned by a different business, undefined acronyms.
  • 22. Control Types & Sub-TypesPreventive Controls Policies and Procedures Formally documented: Written, approved and accessible. Partially documented. Informally documented: Defined through informal documents such as emails or meeting minutes. Not documented: Activities driven only by common understanding. Approval Authority Formally documented: Written, approved and accessible. Partially documented. Informally documented. Not documented. Policies must be well understood and practiced. Due Diligence Product: Investigation of the fit of a product or service to expected attributes, features and characteristics. Vendor: Investigation of financial health and prior performance. Training Classroom. Video. Computer-based (CBT) Web-based (WBT) Independent Study On the Job A valid training control must have well defined content, a specific time and a specific audience.
  • 23. Control Types & Sub-TypesPreventive Controls – Control Activities Control activities are preventive controls that ensure a given risk is mitigated. Control activities are designed to prevent a risk from occurring in all Transactions handled through a business process or system. They help ensure that necessary actions are taken to address the risks that may hinder the achievement of the entity’s objectives. Control activities occur throughout the organization, at all levels and in all functions. Control activities can be system based or non-system. Non-System: Controls that require human intervention to prevent the documented risk from occurring: Segregation of duties. Activities within a process are assigned to different individuals building checks and balances to prevent fraud and/or detect other errors. Physical controls: Safeguard procedures or physical inspections that prevent risk. Checklists/Questionnaires: Standard documents that must be filled out and signed. System: IT-based procedures and routines designed to prevent risk.
  • 24. Control Types & Sub-TypesDetective Management Reports Periodic and timely. Key compliance issues and risks, mitigation actions and monitoring results are reported. Deployed to appropriate levels of management. Regulatory and Third Party Reports Accurate, complete and timely. Risk & Compliance tools. Risk maps and other dashboard type tools. Aggregate and analyze information. Certifications Confirm employees have read and understand policies. Confirm compliance with policies. Reconciliations Ongoing activities built into recurring operating activities. Performed by line or support managers. Assessed and documented daily, weekly, monthly, quarterly or annually as appropriate. Reviews A “second or fresh look” performed from time to time by business management. Scope and frequency are based on risk exposure and robustness of ongoing monitoring activities. Assessed and documented.
  • 25. Inherent Risk Rating The Inherent Risk Rating is broken down into four key components: Strategic Alignment Company Alignment Nature (Complexity) of Activity Materiality This risk rating approach involves the scoring of each risk across these four components. These scores are then summed and an inherent risk rating is identified according to the Rating Scale below for input in the Risk and Control database. This approach is intended to reduce subjectivity in assigning ratings.
  • 26. Risk Rating Scale Score 1 to 4 5 to 8 9 to 12 13 to 16 17 to 20 Inherent Risk Rating Low Risk – 1 Marginal – 2 Moderate – 3 Considerable – 4 High Risk - 5
  • 27. Inherent Risk RatingComponent #1 Strategic Alignment – Range of 1 (Operations Support) to 5 (Strategic Objective Support); Consider whether activity is directly linked to achieving a strategic objective or supports business daily operations. Activity supports normal course of business operational functions. Activity enables activities that are indirectly aligned with a strategic objective. Activity enables activities that are directly aligned with a strategic objective. Activity indirectly aligned with the achievement of a strategic objective. Activity directly aligned with the achievement of a strategic objective.
  • 28. Inherent Risk RatingComponent #2 Company Alignment – Range of 1 (local) to 5 (Company); Consider to what extent a specific activity impacts the Company. Task based activity Local process activity Business Unit activity that provides output that moves upstream to a business unit process. Core organizational activity that provides output that moves upstream to an organizational process. Core Company activity that provides output that moves upstream to a corporate process.
  • 29. Inherent Risk RatingComponent #3 Nature (Complexity) of Activity – Range of 1 (Simple) to 5 (Complex); consider transaction volume, number of steps/parties/hand-offs, internal versus external resource reliance. Basic activity and risk. This activity maintains a minimal number of steps/hand offs and is completed within a single department. Resources are sufficient. Mostly typical and/or traditional nature of the activity and risk. This activity maintains a manageable number of steps/hand offs and is completed within a single department. Resources are adequate. Moderately complex activity and risk. This activity maintains an abundant number of steps/hand offs. Adequacy of resources is questionable. Complex activity and risk. This activity maintains a multitude of steps/hand offs and crosses two or more departments. Resources appear inadequate. Very complex activity and risk. Execution of this activity requires an excessive number of steps/hand offs and crosses several departments. Resources are insufficient.
  • 30. Inherent Risk RatingComponent #4 Materiality – Range of 1 (Immaterial) to 5 (Severe); consider business unit budget, revenues generated, expenses, assets at risk. If this risk was to occur, the loss could be absorbed by the organization in the normal course of business. The impact on earnings, capital and reputation would be immaterial. Financial exposure value less than $50,000. If this risk was to occur, the loss for the most part could be absorbed. Financial exposure value less than $5,000,000. If this risk was to occur, the loss to some extent could be absorbed in the normal course of business. The impact would be noticeable. Financial exposure value greater than $5,000,000 and less than $50,000,000. If this risk was to occur, the loss could not be absorbed by the organization in the normal course of business. Negative impact would be material (greater than $50,000,000 and less than $250,000,000. If this risk was to occur, the loss could not be absorbed in the normal course of business. The impact would be severe (greater than $250,000,000).
  • 31. Risk Probability The risk probability ( or occurrence rating) should also be assessed based on the expected occurrence of the root cause (trigger event) in a pre-control environment. Improbable – The probability of exposure to this risk is remote. Failure is unlikely. This risk may only occur in rare or exceptional circumstances. Doubtful - The probability of exposure to this risk is unlikely. Relatively few failures are expected. There is a slight possibility that the risk could occur. Moderate – The probability of exposure to this risk is moderate. Occasional failures are expected. There is a possibility this may occur at some time. Possible - The probability of exposure to this risk is likely. Repeated failures are expected. There is a strong possibility this risk will occur in most circumstances. Probable - The probability of exposure to this risk is very high. Failure is almost inevitable. This risk is likely to occur in most circumstances.
  • 32. Risk Direction This component is utilized to evaluate the exposure trend to a given risk within the next 12 months. It should be assessed on a pre-control basis. Up – Changes in volume of transactions and/or other internal or external developments are expected to increase the Inherent Risk Rating and/or the Risk Probability within the next 12 months. Level - Changes in volume of transactions and/or other internal or external developments are not expected to change the Inherent Risk Rating or the Risk Probability within the next 12 months. Down – Changes in volume of transactions and/or other internal or external developments are expected to decrease the Inherent Risk Rating and/or the Risk Probability within the next 12 months.
  • 33. Control Detection Rating The Control Detection rating is used to assess the ability of a group of controls currently in place to (in aggregate) detect a control failure prior to the effect impacting the product or being felt by the customer. The assessment of the control detection rating should not consider proposed controls. The following guidelines are the suggested thought process for assessing the control detection rating, which is broken into four key components. Automation vs. Manual Type of Control Policies and Procedures Scalability This approach involves the scoring of controls across these four components. Scores are then summed. This methodology is intended to reduce subjectivity in assigning ratings.
  • 34. Control Rating ScaleA Lower Number is Better Score 1 to 4 5 to 8 9 to 12 13 to 16 17 to 20 Control Rating Effective – 1 Monitor – 2 Needs Improvement – 3 Impaired – 4 Unsatisfactory - 5
  • 35. Control Detection RatingComponent #1 Automation vs. Manual – Range of 1 (Fully Automated) to 5 (Manual); Consider extent of automation versus manual controls in business processes and testing of controls for assurance they are operating as designed. Primary controls are fully automated without requiring human intervention and are tested on an automated, ongoing basis. Primary controls are semi automated with minimal human intervention and touch points and are regularly tested based on a formally established schedule and procedures. Primary controls are semi automated with moderate human intervention and multiple touch points within and outside the department. They are periodically tested based on informal procedures. Primary controls are manual.Testing is ad hoc, perhaps after failures. Primary controls are manual. They are not tested.
  • 36. Control Detection RatingComponent #2 Type of Control – Range of 1 (Preventive) to 5 (No Current Controls); Consider the type of controls currently in place. Preventive: Controls are directed at preventing risks from occurring. Minimizing: Controls are directed at minimizing major risk exposures. Reporting: Controls are directed at reporting potential risk exposures. Detective: Controls are directed at addressing exposures resulting from a risk occurrence. No Current Controls: There are no controls in place to manage risk.
  • 37. Control Detection RatingComponent #3 Policies and Procedures – Range of 1 (Formal) to 5 (Nonexistent); Consider the extent to which policies and procedures are documented, communicated and accessible. Policies and procedures are formally documented, communicated, readily accessible and are reviewed and updated on an ongoing basis. Sign off is attained. Policies and procedures are formally documented, communicated, accessible on request and are reviewed and updated on a periodic basis. Sign off is not attained. Policies and procedures are partially documented, informally communicated, access is restricted and are infrequently reviewed and updated. Sign off is not attained. Policies and procedures are informally documented, communicated, access is restricted and they are not updated. Sign off is not attained. Policies and procedures are not documented.
  • 38. Control Detection RatingComponent #4 Scalability– Range of 1 (Flexible) to 5 (Not Flexible); Consider the scalability of personnel and/or systems to changes in work flow and activity. Personnel and/or systems are flexible to adjust to changes in work flow. Personnel and/or systems are flexible to adjust to changes in work flow with minimal lead time (<= 30 days). Personnel and/or systems are partially flexible with moderate lead time (> 30 days and <=60 days) Personnel and/or systems possess minimal flexibility to adjust (>60 days) Personnel and/or systems are not flexible to adjust to changes.
  • 39. Effective Controls Controls rated 1 – Effective and 2 – Monitor are considered acceptable levels of control quality. The main difference between a 1-Effective and a 2-Monitor control structure is that, in addition to its preventive nature, the former is also capable of identifying and adapting to changes in the environment and business processes. This capability is achieved through the adoption of robust monitoring controls in addition to sound and efficient preventive controls. Therefore, control structures rated 1-Effective must be comprised of at least two robust controls (one of preventive and the other of monitoring in nature). Control structures rated 1-Effective are expected to be optimal structures; hence, there should be no need to improve it.
  • 40. Controls That Need Improvement The control detection rating should be an honest assessment. Sometimes, managers acknowledge that the quality of controls in place is below desirable levels, but several factors may prevent them from implementing immediate improvements. On these occasions, managers must assess the control detection rating according to the quality of the controls currently in place (3 – Needs Improvement or lower), and document their efforts to improve quality of the control structure by recording proposed controls in the Risk and Control database. These proposed controls should be sufficient to improve the control detection rating to a 2-Monitor or a 1-Effective rating once they are implemented.