BUSINESS PROCESSES AND RISKS 5-11 A3 Includes showering, brushing teeth, fixing hair, ironing shirt, if necessary.

A4 Evaluate the chance of finding parking and the chance of the bus being late.

As Start at lot C1. If no parking space, go to lot C3. If none there, go to remote lot 03.

A6 If 15 minutes remain before class when walking past coffee shop, stop and get coffee. If not, go directly to class.

Al Determine what books and papers will be needed for class. Put cell phone and laptop in backpack.

A2 Set alarm for 6:00 a.m.-5:45 if having breakfast.

Arrive at Class

,,!(.)

A6

1

Walk to Class

F

^Buy

l

^Coffee

Time to Get Coffee?

Get Off at Bus Stop

Walk to

J

Class Ride Bus to

J

School Wait for

Bus Walk to Bus

Stop

I, ! '

As

A3

Search for Parking Drive to

Campus

rmivr

Drive or Bus?

Get Backpack Get

Dressed Get

Up

NO

r

Pack Backpack

./'-...

(

^Start Set Alarm

~

Go to

}[

Has Alarm

for Tomorrow for s.oo a.m. Bed Sleep

Gone Off?

A1 A2

YE·5 EXHIBIT 5-6

DETAILED-LEVEL PROCESS MAP: GETTING TO Al'l

8:00

A.tvl. CLASS 01'-l TINE

5-12 INTERNAL AUDITING: ASSURANCE & ADVISORY SERVICES

low) or five categories. A basic five-category risk model is, presented in exhibit 5-8. Establishing boundaries for each category is useful for gathering input from multiple people. In this model, the boundaries for impact are set in terms of dol- lar values and impact on business objectives. However, some organizations set boundaries for other measures as well. For instance, some organizations establish impact in terms of reputation, health and safety, legal, or damage to assets. For health and safety, the categories might be slight injury, minor injury, major injury, fatality, and multiple fatalities, with the scale going from negligible to extreme (the impact scale shown in exhibit 5-8), respectively. Each organization will deter- mine the terms used to signify impact. Significance is sometimes used; however, others refer to significance as a combined assessment of impact and likelihood.

Less commonly, severity is another term used to signify the adverse effect of a risk outcome. Regardless of the terminology, what is important is that the terms be defined and applied consistently across risks.

Duration Capital availability Cash management Commodity pricing Communications

Concentration Change readiness

Empowerment

Capacity Default Performance incentives

Foreign currency exchange Interest rates

!vi an power supply Leadership/key employees

FINANCIAL PEOPLE

Cycle time Catastrophic events Lack of product innovation

Business continuity Health and human safety

Process execution Supply chain capacity

PROCESS

Operations Risks

Data integrity

Privacy Availability

Infrastructure Access

INFORMATION RESOURCES Internal control and regulatory reporting Taxation

Performance measures Accounting

and financial reporting

Budgeting INTERNAL EXTERNAL

EXTERNAL INTERNAL

Contractual Ethics Regulatory Policies Litigation Fraud and illegal

Permits acts

Reporting Risks Compliance Risks

Governance Customer satisfaction Reputation Strategic focus Change in laws

and regulations Competition Change in mar- ket dynamics Industry Technology

INTERNAL EXTERNAL

Strategic Risks EXHIBIT 5-7

BASIC BUSlt'-IESS RISK tv10DEL

BUSINESS PROCESSES AND RISKS 5-13

Using the risk assessment model in exhibit 5-8, the various risks from the basic business risk model (exhibit 5-7) can be placed on the matrix. Frequently, this is done in a group session involving senior management or, if they are not available, other levels of management and more experienced individuals from the internal audit function. Using senior management and operations managers is preferable Likelihood can be evaluated by assessing the odds or probability of the risk occur- ring. However, given the subjective nature of these assessments, most managers and internal auditors are more comfortable expressing likelihood in less precise categories. Again, a three-category scale (high, medium, low) or a five-category scale (as shown in exhibit 5-8) is often used. As with impact, it does help to spec- ify the category boundaries. This is usually done in terms of specific or ranges of probabilities (as in the scale in exhibit 5-8).

Negligible: <$1m; no noticeable impact on objectives

Moderate Risks

$5-$25m; makes achieving some business objectives challenging

Low: $1-$5m; some undesirable outcomes Medium:

High Risks High: $25-$100m; difficult to achieve business

objectives

Critical Risks

Low Risks Extreme: >$100m; threatens ongoing existence

Impact

LIKELIHOOD

Probable (50-90%) Possible

(25-50%)

Certain (90-100%) Unlikely

(10-25%) Remote

(0-10%) Negligible

I High 10

I-

u

<( Medium

a.

z

Low Extreme 15

EXHIBIT

5-8

RISK ASSESSfv1ENT MODEL

5-14 ^{INTERNAL AUDITING: ASSURANCE} & ADVISORY SERVICES

LIKELIHOOD

Probable (50-90%) Possible

(25-50%)

Certain (90-100%) Unlikely

(10-25%) Remote

(0-10%)

<II

Ji

:~

Cl <II

z

Foreign c:urrenc:y Supply c:hain

~ 0 -I

Contractual Regulatory policies

IC & reg reporting Duration Capital availability

Leadership/key employees Manpower supply Cash management lnfra1truc:ture

Reputation Technology Competition Customer satisfaction Ac:c:t and fin reporting

Ac:c:ess Changes in laws

and regulations Industry Strategic focus ..c

DI

:i:

~ Catastrophic

<11 events

x ..

Governance w

1-

u

<(

a..

:'.L

EXHIBIT 5-9

IDENTIFICATION OF CRITICAL RISKS

because they have the best understanding of the risks in their areas of respon- sibility. In this meeting, risks are discussed and consensus is obtained regard- ing impact, likelihood, and position of the respective risk on the matrix. The combination of impact and likelihood determines the relative importance of the risks. Exhibit 5-8 shows the matrix broken into 25 boxes. In this model, boxes 20 through 25 represent critical risks, and boxes 16 through 19 represent high risks.

These risks present the most serious challenge to meeting the organization's objec- tives. Boxes 7 through 15 are moderate risks and boxes 1 through 6 are low risks.

BUSINESS PROCESSES AND RISKS 5-15 - Accept

-Avoid - Pursue - Reduce - Share

Risk Response Options:

The possibility that an event will occur and adversely affect the achievement of objectives.

Risk

Mapping Risks to the Business Processes

From the ERM perspective discussed in chapter 4, the next step would be to develop appropriate responses to each risk. There are five responses an organiza- tion can take:

• Acceptance. No action is taken to decrease risk impact or likelihood. The organization is willing to accept the risk at the current level rather than spend valuable resources deploying one of the other risk response options.

• Avoidance. A decision is made to exit or divest of the activities giving rise to the risk. Risk avoidance may involve, for example, exiting a product line, deciding not to expand to a new geographical market, or selling a division.

• Pursuit. Exploit the risk if taking such a risk is advantageous to the organiza- tion or is necessary to achieve a particular business objective.

• Reduction. Action is taken to reduce the risk impact, likelihood, or both. This involves a myriad of everyday business decisions, such as implementing controls.

The type of analysis performed to gain the necessary knowledge and skills to be successful in an entry-level internal audit position and the requisite objectives can be applied to organizations as well. As mentioned in our discussion of business processes earlier in the chapter, the objectives can usually be found in regulatory filings, such as the 10-K filing for a publicly traded company in the United States, or in the organization's strategic planning documents.

The process depicted in exhibits 5-4 and 5-6 that outlines getting to an 8:00 a.m.

class on time contributes to objective 2 and, to an extent, objective 1. Other pro- cesses, such as study processes, would be critical to objectives 3, 4, and 5. Chapter 4 defines risk as "the possibility that an event will occur and adversely affect the achievement of an objective." Keeping this definition in mind, a number of risks can be identified that could impede the achievement of the five objectives. For instance, becoming sick could impact the achievement of objectives 1, 2, and 4.

Exhibit 5-10 presents seven critical risks and their potential to impede these five strategic objectives.

3. Do assigned reading before the class in which it will be discussed.

4. Complete all assignments on time.

5. Obtain a B+ or better on all exams.

2. Be on time for each class.

The next step is to formally link the identified risks to the specific objectives that each risk may impair. This helps to ensure that all key risks, and the resulting impact, have been identified. Returning to the example of getting to class on time, assume the mission this semester is to gain the necessary knowledge and skills to be successful in an entry-level internal audit position. Several specific strategic

objectives could be developed to accomplish this mission:

1. Attend all classes.

Exhibit 5-9 presents a mapping of the risk model to the risk assessment matrix for an online financial services company. Four risks identified as critical appear in boxes 21 and 22. The risks in boxes 18 and 19 are considered high and, depending on how many objectives they impact, also may require extensive attention.

5-16 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES

An effective means of depicting how the processes link to the underlying risks is to create a risk by process matrix (similar to the matrix shown in exhibit 5-10, which linked objectives with critical risks). Risks are listed along the top of the matrix, and processes are listed down the side (see exhibit 5-11). The risks would be those identified in the business risk model (exhibit 5-7). Typically, these will be from 30 The process plays a direct and key

role in managing the risk.

To select appropriate response strategies effectively, an u,nderstanding of how risks relate to the organization's business processes is necessary. Internal auditors also must establish the links between risks and business processes to determine whether the risks are being managed to appropriate levels within management's response strategies and to identify where in the organization the critical risks reside. IIA Standard 2010: Planning explicitly requires the CAE to "establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization's goals."

Key Link

• Sharing. The risk impact or likelihood is reduced by transferring or otherwise sharing a portion of the risk. Common techniques include purchasing insurance products, engaging in hedging transactions, or outsourcing an activity.

Mission:

I

^CR4

Gain the necessary CRl CR2 CR3 CRS CR6 I CR7

knowledge Becomes ill. Forgets Oversleeps I Does not Does not Unable to Experiences and skills to be deadline. or is

I

have needed have time to understand social or

successful in an delayed. course mate- complete all material. other

entry-level internal rials. work. distractions.

audit position.

1. Attend

x x

all classes.

2. Be on time for

each class.

x x x

3. Do assigned reading prior to the class in

which it will be

x x x x

discussed.

l

4, Complete all assignments on

x x x x x x

time.

5. Obtain a B+ or better on all

exams.

x x x x

EXHIBIT 5-10

OBJECTIVES AND CRITICAL RISK MATRIX

BUSINESS PROCESSES AND RISKS 5-17 The process helps to manage the risk indirectly.

Secondary Link

After identifying the risks with which a particular process is associated, the asso- ciations should be evaluated as to whether the links are key or secondary. Key links are those in which the process plays a direct and key role in managing the risk. Secondary links are ones in which the process helps to manage the risk indi- rectly. In the example above, critical risk 3 would be judged as a key link, while critical risk 4 may only be considered a secondary link. When the links are viewed The next step is to analyze the processes to determine if there are any associa- tions between the processes and the risks. Returning to the initial process example of getting to an 8:00 a.m. class on time, links between that process (exhibit 5-6) and the seven critical risks listed in exhibit 5-10 can be assessed. There is clearly a direct association between this process and critical risk 3 (oversleeps or is delayed).

There also would be an association with critical risk 4 (does not have needed course materials) because part of getting to the 8:00 a.m. class on time involves gathering needed materials for classes and studying the rest of the day. Critical risk 5 (does not have time to complete all work) and critical risk 6 (unable to understand mate- rial) are clearly not related to this process. They would be related to other processes such as time management, scheduling, and study processes.

to 70 risks. The risk assessment process shown in exhibit 5-8 and exhibit 5-9 can be used to shorten the list of risks. For instance, it might be desirable to limit the risks to which processes are linked to only those risks in cells 7 through 25 (see exhibit 5-8).

K- Key Link

I

~ ^{N t()} "st ^ll) -o ^{r-, E}

S- Secondary ^..::,/. V) ^..::,/. V) ^..::,/. V) ^..::,/. V) ^..::,/. V) ^..::,/. V) ^..::,/. V) ^..::,/.

I

^V)

Link ii

cc

^{ii ii} ii ii ii ii

Process 1

s

t

K

Process 2

s

Process 3 ^I

s

Process 4

K

l ^s

Process 5

s

Process 6

s

^K

Process 7

s s s ^I K

Process 8 K

'

s

Process 9

s

^K

K

Process 10

K

Kj l ^s

Process ¹¹

t s

^K

s

Process n

EXHIBIT 5-11