SlideShare una empresa de Scribd logo

5 steps for better risk assessment

D
DrMohammedFarid

Audit

Empresariales
1 de 15
Descargar para leer sin conexión
1 5 Steps for Better Risk Assessments +1 617 530 1210 | logicmanager.com | info@logicmanager.com ©LogicManager, Inc.
1 Simply discussing high-level concerns with senior executives may have been sufficient 2-5 years ago, but growing expectations from all angles—the Board of Directors, regulators, investors, consumers, and more— mean risk assessments must directly increase business value and deliver more actionable results. The reason expectations are rising is the See-Through Economy. This is what we call the current fast-paced aged of transparency we’re living in right now. With the click of a button, consumers can share their positive and negative experiences with a brand, which has put reputational risk higher up on the priority ladder. The See-Through Economy isn’t all doom and gloom though. There’s a way to leverage our increased level of information access to anticipate and meet stakeholder expectations. It all starts with better risk assessments. In this eBook, we’ll show you how to make your assessments comparable across departments and levels, as well as how to aggregate the information in a way that adds value to your business. Introduction Table of Contents 2 Prioritizing Activities 3 5 Best Practices 4 Adopt a Root-Cause Approach 5 Root-Cause Categories 6 Root-Cause Example 7 Standardize Assessment Scale and Criteria 8 Link Risks to Controls 9 Connect Risks to Strategic Goals 10 Embed ERM in Everyday Activities 11 These 5 Steps in Action
2 Prioritizing Activities is the Key At its core, the goal of risk management is to make better decisions to add business value. Better decision- making requires transparency into all risk information gathered at your organization. It also requires the ability to prioritize that information by assessing the risks related to organizational goals, resources, controls, and monitoring. Business value means looking at where you spend time and money so you can prioritize resources and resolve confusing or contentious issues. Nevertheless, controls, tests, tasks, and resources are very expensive. Risk assessments add priority to these activities, helping you understand how critical each one is. If you are not prioritizing the right activities, then you’ll likely see these consequences: Lack of Continuity Changes in the organization or development of new business lines may result in new activities even though existing ones are more effective. Lack of Coordination Often, activities apply to multiple risks or commitments across functional lines. The inability to formally tie activities to risk or commitments hinders inter-functional coordination, resulting in business silos and duplication of effort. Activity Fatigue Staff may ignore certain activities because of a lack of time to assess them. Wasted Resources If a risk changes, most organizations have no way of knowing how (or even if) these changes will affect their resources and activities. Activity Obsolescence In a changing environment, there is no effective way to know when activities no longer apply. Lack of Prioritization Picking activities to focus on is likely to be on an ad hoc basis and subject to the whims of current staff.
3 1 Adopt a Root-Cause Approach 2 3 5 Best Practices Throughout the remainder of this eBook, we will walk through these 5 best practices: Standardize Assessment Scale and Criteria 4 Connect Risks to Strategic Goals 5 Embed ERM in Everyday Activities Link Risks to Controls By adopting a standardized and objective best-practice risk assessment methodology, you can start to identify the overlapping activities that crowd your program, prioritize actions, and help your organization make more informed decisions.
4 1. Adopt a Root-Cause Approach The most effective way to collect risk data is to identify risk by root cause. Root cause tells us why an event occurs, which provides information about what triggers a loss and where an organization is vulnerable. Using root-cause categories provides meaningful context as to what steps to take to mitigate risk. However, getting people to link root causes with outcomes is often easier said than done. Typically, executive management thinks in terms of events to avoid or achieve, depending on the effects of such events. Moreover, they want to be presented information about the events or outcomes they care about. You, as a risk manager, need to understand the root cause in order to ensure proper mitigating activities are taking place. Outcome 1 Outcome 2 Root Cause 1 Root Cause 2 Root Cause 3 Mitigation Activity 1 Mitigation Activity 2 Mitigation Activity 3 Most assessments jump to the “what can go wrong” aspect of risk identification. The “what could go wrong” is often a detailed effect or symptom. Understanding the root cause requires generalizing the problem at a higher level and identifying the drivers of the risk. You can begin to implement this root-cause approach in a facilitated session. You can also use a system to prompt assessors about the root causes of their concerns, which helps implement a solution on an enterprise scale. As you work with process owners, begin to build your root-cause risk library, and try to reuse root-cause risks already identified by other business areas to help identify systemic risks throughout the organization, as well as areas of upstream and downstream dependencies.
5 Root-Cause Categories Many risk managers find it hard to engage multiple departments because they’re unfamiliar with risk management as a discipline and therefore aren’t sure how to communicate about it. As you can imagine, talking about the same root causes, outcomes, or mitigations in different ways can cause unnecessary road blocks. Consider using these root-cause categories to build your risk library on. External Risk caused by outside people, environment, and other circumstances. Examples: Fluctuations in economic markets, weather-related hazards or disasters, lack of public infrastructure People Risks involving people who work for the organization. Examples: Misuse of confidential information, willful noncompliance with policies, lack of necessary skill sets Process Risk arising from the organization’s execution of business operations. Examples: Inadequate budgeting, missing documentation, lack of policies or procedures Relationships Risk caused by the organization’s connection with third-parties. Examples: Contracts are not reviewed properly, inadequate security protocols on third-party relationships Systems Risks associated with IT processes, security, data, or information assets Examples: Data is inaccessible, failure to adopt new technology trends, inadequate system maintenance
6 Root-Cause Example To demonstrate the value of root causes, let’s look at a brief example: fraud. Say you have two people, an employee and a contractor, sitting side-by-side in the same room. One of them is committing fraud. Your effective mitigation activity (if the employee is the culprit) will be getting HR involved. Your effective mitigation activity (if the contractor is the culprit) will be dealing with the third party. What if it is a system or process that has a flaw that is allowing fraudulent activities to happen? It could be a matter of good people in a bad situation. Knowing the source of the risk is fundamental to your solution. Outcome Fraud Mitigation Activities HR Mitigation Activities Vendor Mitigation Activities IT Potential Root Cause Employee Potential Root Cause Contractor Potential Root Cause System Failure
7 2. Standardize Assessment Scale and Criteria After you’ve created a system for labeling or identifying risk, you can move on to assessing the potential impact of each risk. A lot of organizations use a high-medium-low scale to assess their risks, but this actually isn’t best practice. High-medium-and low scales make it difficult and time-consuming to quantify, aggregate, and objectively rank information. With only three options from employees to choose from, they’ll likely feel conflicted about which to one to choose. Many employees may even feel compelled to write in a medium/high option. In reality, best practice favors a 1-10 scale, with 10 having the most unfavorable consequences to the organization. Using a 1-10 scale makes calculating the residual index score of a risk more straight forward. Giving employees more flexibility in their assessments will increase accuracy, and more confidence when determining what your top risks really are. / 10 = 16.2 Residual Risk Score
8 How do you determine the priority of a SOX control vs. an operational policy vs. an insurance review? You need defined evaluation criteria for these scales. Often, one person’s 9 is another person’s 7. You should provide a clear, unambiguous definition for each of the 5 buckets. The key is to express severity in both quantitative and qualitative terms (such as dimensions of finance, legality, operations, regulations, strategy, etc.) in a standardized way. Each bucket should have a variation of these themes applicable to each level of severity. Only one of the criteria listed for an impact level has to be met in order to rate a risk factor at that level. For example, if an identified risk factor prevents the organization from achieving its strategic plan, rate the impact risk factor at the 9-10 level regardless if the risk factor has only a perceived minimal negative impact on sales. Although a variety of assessment criteria is used, all categories should be on a 1-10 scale and calibrated, meaning the description of a 7 (even if described differently in other risk assessment criteria) has the same meaning of severity. This allows the aggregation of assessments to provide a holistic view of risk. • Financial: Negative impact on net income – over $20 million • Financial: Catastrophic impact on financial statements (e.g., critical contractual ratios are no longer met) • Operational: Long-term impairment of critical functions make the organization vulnerable to forced sale of merger • Regulatory: Regulatory agencies seize control of assets or are granted absolute decision-making authority • Financial: Negative impact on net income – $15 million to $20 million • Financial: Alternative financing (debt), sale or restructuring of the organization could be required • Operational: Inability to remain competitive (e.g., lagging customer service, operational inefficiencies) • Regulatory: Regulatory penalties are required 7 - 8 Serious 9 - 10 Major 1 – 2 Insignificant • Financial • Legal • Operational • Regulatory • Strategic 3 – 4 Minor • Financial • Legal • Operational • Regulatory • Strategic 5 – 6 Moderate • Financial • Legal • Operational • Regulatory • Strategic 7 – 8 Serious • Financial • Legal • Operational • Regulatory • Strategic 9 – 10 Major • Financial • Legal • Operational • Regulatory • Strategic
9 3. Link Risks to Controls Once you have identified the source of risks and assessed them objectively, you need to know how controls are actually covering risks. Often, the knowledge of how the risk is mitigated is only a conversational explanation from the business area in facilitated sessions. This is sufficient for some risks, but you want to make sure for a certain subset of your top risks that these mitigation activities are adequate. Maintaining a system where risks are directly linked to their controls helps you maintain better governance over mitigation activities. With such a system, you have a valuable record of when and why different controls were created, as well as audit-able proof your business is working to manage risk.
10 4. Connect Risks to Strategic Goals Getting an accurate pulse on strategic imperatives is challenging because these goals are cross functional in nature. And while they are extremely useful for the board and senior executives, they are impossible to act upon without operationalizing them (breaking them down into root-cause, silo-specific activities within business areas), and this is where risk management plays a role. 1. Link Risks to Goals You need to connect risks to corporate goals. You can get these strategic goals from the strategic plans and other places within your organization. The next step is to identify a number of root-cause risks that could threaten to derail this corporate goal. For example, Customer Satisfaction is a strategic goal. Determine which root-cause risks in your risk register will impact the goal of Customer Satisfaction. 2. Connect Goals and Risks to Business Areas Next, work with business areas to identify which strategic goals they have an impact on and identify and assess, as we discussed earlier, which of the risks you identified are applicable to their business area. Process Strategic Imperative Activity Process Process Activity Activity Activity
11 3. Make Presentations Relevant and Actionable The traditional way of presenting risks to the board and senior executives is the “top 10 risks” method. A more valuable approach is showing the top risks above a certain cut-level, or tolerance, for each strategic goal. By connecting root-cause indicators from business areas to events and goals, you can accomplish two things: first, present information so the board recognizes and understands what business areas contribute to that concern or objective. Second, know the root-cause issues of the goal or objective, which makes it all actionable. If you follow the best practices we have covered so far in this presentation, you can say, “Here are our goals, here are the biggest risks to these goals, and here are all of the related resources and activities across the organization to mitigate these risks and achieve the desired level of performance.” This type of presentation is actionable because if you successfully mitigate your top risks, the organization will be able to achieve a measurable milestone. On the other hand, even if you effectively mitigated all top 10 risks, you might not move your organization forward because not enough risks in any one area were mitigated to reach critical mass to move your organization toward its goal. Process Transactions Transactions are improperly valued 6 Category Factor Indicator Impact Likelihood Assurance Inherent Index Residual Index 68 36 28.8 Likelihood Impact 1-2 3-4 5-6 7-8 9-10 Color indicates Assurance scores where 1 is the most effective Strategic Goal: Cash Flow Predictability
12 5. Embed ERM in Everyday Activities At the end of the day, better risk assessments can only be fostered by engagement, and this is the hardest part. The good news is, when it comes to business, people love success and efficiency. So be your own business case! Start to use your own experience and successes to get others to see the value involved. Risk is in everyone’s job responsibilities. The more integrated ERM is in everyone’s job descriptions, the easier risk assessments will become and the more valuable they will be, but this may take time. Start integrating ERM into everyone’s day-to-day activities by starting with your own area. By applying an ERM approach to your own functional area, you can prioritize existing activities, manage change, objectify conclusions to enable better issue escalation, and gain a panoramic view of disparate controls and tests. All of this will help you streamline and add value to current activities, enabling you to spend less time on check-the-box compliance or insurance efforts and more time preventing loss events and identifying emerging risks.
13 These 5 Steps in Action As an example, let’s look at an example most companies face: professional liability insurance applications. Insurance companies require seemingly innocuous assertions about the management of your organization’s operations and governance. Among other activities they seek information on is operational controls, management of content and privacy exposures, computer systems controls, computer system access protection, data back-up procedures, and data encryption procedures. Did you ever notice that they are actually doing a risk assessment of your organization? They rely upon your representations and answers for their assessment of your organization’s risk! The problem is you’re making representations on cross-functional issues dependent on others. With a centralized repository of risks and the activities they are connected to, as we discussed earlier, you can identify the root- cause risk and automatically know what controls exist across the enterprise. IT: Access Rights Policy Mitigation Activities Legal: Privacy Policy Review HR: HIPAA Compliance Vendor Management: Verification of Non-Contracted Employees Outcome Content management and privacy exposure liability Potential Root Cause Category: Process Risk: Transactions are not clearly supported by technical or legal pronouncements Impact: 6 Likelihood: 5 Assurance: 3 Here we have typical professional liability loss that everybody is trying to prevent in 100 different ways. We can choose one potential root cause from the process category for instance, and define the risk further. We also give this risk a score based on impact, likelihood, and assurance to get an idea of its criticality. And we have a nice list of the activities occurring across the organization to control the risk. All in all, we have a comprehensive and accurate way to answer the questions posed by our insurers.
14 AUDIT MANAGEMENT BUSINESS CONTINUITY & DR COMPLIANCE MANAGEMENT REQUEST A DEMO INCIDENT MANAGEMENT ENTERPRISE RISK MANAGEMENT FINANCIAL REPORTING (SOX, MAR) POLICY MANAGEMENT VENDOR MANAGEMENT IT GOVERNANCE & SECURITY Build Better Risk Assessments with LogicManager There’salotgoingoninthiseBook.Buthavenofear!ThemostsuccessfulcompanieswiththebestERMprograms takeitonestepatatime. Manycompanies,however,finditeasiertoimplementthesefivestepswiththehelpofERMsoftware.Request ademonstrationtoseehowLogicManagercanhelpyoucommunicateacrossdepartments,collectactionable information,andreportonyoursuccess.Notreadyforademobutwantmoreinformationhowtoimprove? DownloadoureBook,“5CharacteristicsoftheBestERMPrograms.” +1 617 530 1210 | logicmanager.com | info@logicmanager.com ©LogicManager, Inc. GET NEW EBOOK

Recomendados

6 implications of internal audit
6 implications of internal audit6 implications of internal audit
6 implications of internal auditSALIH AHMED ISLAM
 
5 critical tasks of Internal Audit
5 critical tasks of Internal Audit5 critical tasks of Internal Audit
5 critical tasks of Internal AuditSALIH AHMED ISLAM
 
CMLGroup - What is GRC?
CMLGroup - What is GRC?CMLGroup - What is GRC?
CMLGroup - What is GRC?CML Group
 
it grc
it grc it grc
it grc 9535814851
 
GRC
GRCGRC
GRCMaryam Hidayatallah CPFA,MIPA,MA,CICA
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
Fix nix, inc
Fix nix, incFix nix, inc
Fix nix, incFixNix Inc.,
 
Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007Humberto Bruno Pontes Silva
 

Recomendados

6 implications of internal audit
6 implications of internal audit6 implications of internal audit
6 implications of internal auditSALIH AHMED ISLAM
 
5 critical tasks of Internal Audit
5 critical tasks of Internal Audit5 critical tasks of Internal Audit
5 critical tasks of Internal AuditSALIH AHMED ISLAM
 
CMLGroup - What is GRC?
CMLGroup - What is GRC?CMLGroup - What is GRC?
CMLGroup - What is GRC?CML Group
 
it grc
it grc it grc
it grc 9535814851
 
GRC
GRCGRC
GRCMaryam Hidayatallah CPFA,MIPA,MA,CICA
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
Fix nix, inc
Fix nix, incFix nix, inc
Fix nix, incFixNix Inc.,
 
Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007Humberto Bruno Pontes Silva
 
Compliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCompliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCorporater
 
6 benefits of internal auditing
6 benefits of internal auditing6 benefits of internal auditing
6 benefits of internal auditingSALIH AHMED ISLAM
 
Compliance framework
Compliance frameworkCompliance framework
Compliance frameworkManoj Agarwal
 
Thematic compliance
Thematic complianceThematic compliance
Thematic complianceMaryam Hidayatallah CPFA,MIPA,MA,CICA
 
Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesCapgemini
 
Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and complianceMagdalena Matell
 
Auditing corporate governance guide
Auditing corporate governance guideAuditing corporate governance guide
Auditing corporate governance guideCenapSerdarolu
 
Grc governance, risk management & compliance
Grc governance, risk management & complianceGrc governance, risk management & compliance
Grc governance, risk management & complianceHR Globe Consulting
 
5 steps to third party cyber risk management
5 steps to third party cyber risk management5 steps to third party cyber risk management
5 steps to third party cyber risk managementAavenir
 
Audit, control and enterprise wide risk management
Audit, control and enterprise wide risk managementAudit, control and enterprise wide risk management
Audit, control and enterprise wide risk managementpeterObakozuwa
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesCorporater
 
GRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveGRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveMax Neira Schliemann
 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Maxime CARPENTIER
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk ManagementEC-Council
 
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1Sharing Slides Training
 
internal control and control self assessment
internal control and control self assessmentinternal control and control self assessment
internal control and control self assessmentManoj Agarwal
 
Internal control and Control Self Assessment
Internal control and Control Self AssessmentInternal control and Control Self Assessment
Internal control and Control Self AssessmentManoj Agarwal
 
Enterprise Governance, Risk and Compliance
Enterprise Governance, Risk and ComplianceEnterprise Governance, Risk and Compliance
Enterprise Governance, Risk and ComplianceAxis Technology, LLC
 
Ais Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And AisAis Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And AisSharing Slides Training
 
How to integrate risk into your compliance-only approach
How to integrate risk into your compliance-only approach How to integrate risk into your compliance-only approach
How to integrate risk into your compliance-only approachAbhishek Sood
 
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)Keith Darcy
 
0 Easy Steps To Implement Enterprise Risk Management
0 Easy Steps To Implement Enterprise Risk Management0 Easy Steps To Implement Enterprise Risk Management
0 Easy Steps To Implement Enterprise Risk ManagementNat Rice
 

Más contenido relacionado

La actualidad más candente

Compliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCompliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCorporater
 
6 benefits of internal auditing
6 benefits of internal auditing6 benefits of internal auditing
6 benefits of internal auditingSALIH AHMED ISLAM
 
Compliance framework
Compliance frameworkCompliance framework
Compliance frameworkManoj Agarwal
 
Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesCapgemini
 
Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and complianceMagdalena Matell
 
Auditing corporate governance guide
Auditing corporate governance guideAuditing corporate governance guide
Auditing corporate governance guideCenapSerdarolu
 
Grc governance, risk management & compliance
Grc governance, risk management & complianceGrc governance, risk management & compliance
Grc governance, risk management & complianceHR Globe Consulting
 
5 steps to third party cyber risk management
5 steps to third party cyber risk management5 steps to third party cyber risk management
5 steps to third party cyber risk managementAavenir
 
Audit, control and enterprise wide risk management
Audit, control and enterprise wide risk managementAudit, control and enterprise wide risk management
Audit, control and enterprise wide risk managementpeterObakozuwa
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesCorporater
 
GRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveGRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveMax Neira Schliemann
 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Maxime CARPENTIER
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk ManagementEC-Council
 
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1Sharing Slides Training
 
internal control and control self assessment
internal control and control self assessmentinternal control and control self assessment
internal control and control self assessmentManoj Agarwal
 
Internal control and Control Self Assessment
Internal control and Control Self AssessmentInternal control and Control Self Assessment
Internal control and Control Self AssessmentManoj Agarwal
 
Enterprise Governance, Risk and Compliance
Enterprise Governance, Risk and ComplianceEnterprise Governance, Risk and Compliance
Enterprise Governance, Risk and ComplianceAxis Technology, LLC
 
Ais Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And AisAis Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And AisSharing Slides Training
 
How to integrate risk into your compliance-only approach
How to integrate risk into your compliance-only approach How to integrate risk into your compliance-only approach
How to integrate risk into your compliance-only approachAbhishek Sood
 

La actualidad más candente (20)

Compliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCompliance Management | Compliance Solutions
Compliance Management | Compliance Solutions
 
6 benefits of internal auditing
6 benefits of internal auditing6 benefits of internal auditing
6 benefits of internal auditing
 
Compliance framework
Compliance frameworkCompliance framework
Compliance framework
 
Thematic compliance
Thematic complianceThematic compliance
Thematic compliance
 
Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance Services
 
Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and compliance
 
Auditing corporate governance guide
Auditing corporate governance guideAuditing corporate governance guide
Auditing corporate governance guide
 
Grc governance, risk management & compliance
Grc governance, risk management & complianceGrc governance, risk management & compliance
Grc governance, risk management & compliance
 
5 steps to third party cyber risk management
5 steps to third party cyber risk management5 steps to third party cyber risk management
5 steps to third party cyber risk management
 
Audit, control and enterprise wide risk management
Audit, control and enterprise wide risk managementAudit, control and enterprise wide risk management
Audit, control and enterprise wide risk management
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
 
GRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveGRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance Executive
 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk Management
 
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
 
internal control and control self assessment
internal control and control self assessmentinternal control and control self assessment
internal control and control self assessment
 
Internal control and Control Self Assessment
Internal control and Control Self AssessmentInternal control and Control Self Assessment
Internal control and Control Self Assessment
 
Enterprise Governance, Risk and Compliance
Enterprise Governance, Risk and ComplianceEnterprise Governance, Risk and Compliance
Enterprise Governance, Risk and Compliance
 
Ais Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And AisAis Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And Ais
 
How to integrate risk into your compliance-only approach
How to integrate risk into your compliance-only approach How to integrate risk into your compliance-only approach
How to integrate risk into your compliance-only approach
 

Similar a 5 steps for better risk assessment

WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)Keith Darcy
 
0 Easy Steps To Implement Enterprise Risk Management
0 Easy Steps To Implement Enterprise Risk Management0 Easy Steps To Implement Enterprise Risk Management
0 Easy Steps To Implement Enterprise Risk ManagementNat Rice
 
Risk Mgmt - Define_And_Articulate
Risk Mgmt - Define_And_ArticulateRisk Mgmt - Define_And_Articulate
Risk Mgmt - Define_And_ArticulateAnthony Chiusano
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop Ersoy AKSOY
 
My report_donald.docx
My report_donald.docxMy report_donald.docx
My report_donald.docxGenevieveGo3
 
Aliado risk management presentation v3a
Aliado risk management presentation v3aAliado risk management presentation v3a
Aliado risk management presentation v3aJody Keyser
 
The risks of risk management
The risks of risk managementThe risks of risk management
The risks of risk managementcjburt
 
BCG-Five-Practices-of-Operational-Risk-Leaders-Oct-2016_tcm80-214941
BCG-Five-Practices-of-Operational-Risk-Leaders-Oct-2016_tcm80-214941BCG-Five-Practices-of-Operational-Risk-Leaders-Oct-2016_tcm80-214941
BCG-Five-Practices-of-Operational-Risk-Leaders-Oct-2016_tcm80-214941Dr. Marc D. Grüter
 
Risk Analysis & Risk Management
Risk Analysis & Risk ManagementRisk Analysis & Risk Management
Risk Analysis & Risk ManagementGrafic.guru
 
HAZARD ANALYSES
HAZARD ANALYSESHAZARD ANALYSES
HAZARD ANALYSESorakeshji
 
2015 Tackling This Year's Audit Hot Spots
2015 Tackling This Year's Audit Hot Spots2015 Tackling This Year's Audit Hot Spots
2015 Tackling This Year's Audit Hot SpotsRon Steinkamp
 
Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...
Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...
Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...WolfPAC - Integrated Risk Management
 
An introduction to finance
An introduction to financeAn introduction to finance
An introduction to financeRobert Reed
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1Paul Hunt
 
Avoid organizationalmistakes by innovative thinking
Avoid organizationalmistakes by innovative thinkingAvoid organizationalmistakes by innovative thinking
Avoid organizationalmistakes by innovative thinkingSelf-employed
 
Enterprise Risk Management: Minimizing Exposure, Fostering Innovation and Acc...
Enterprise Risk Management: Minimizing Exposure, Fostering Innovation and Acc...Enterprise Risk Management: Minimizing Exposure, Fostering Innovation and Acc...
Enterprise Risk Management: Minimizing Exposure, Fostering Innovation and Acc...Cognizant
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditorsminkhollow
 

Similar a 5 steps for better risk assessment (20)

WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
 
0 Easy Steps To Implement Enterprise Risk Management
0 Easy Steps To Implement Enterprise Risk Management0 Easy Steps To Implement Enterprise Risk Management
0 Easy Steps To Implement Enterprise Risk Management
 
Risk Mgmt - Define_And_Articulate
Risk Mgmt - Define_And_ArticulateRisk Mgmt - Define_And_Articulate
Risk Mgmt - Define_And_Articulate
 
Deloitte_Risk Sensing
Deloitte_Risk SensingDeloitte_Risk Sensing
Deloitte_Risk Sensing
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop
 
My report_donald.docx
My report_donald.docxMy report_donald.docx
My report_donald.docx
 
Aliado risk management presentation v3a
Aliado risk management presentation v3aAliado risk management presentation v3a
Aliado risk management presentation v3a
 
The risks of risk management
The risks of risk managementThe risks of risk management
The risks of risk management
 
BCG-Five-Practices-of-Operational-Risk-Leaders-Oct-2016_tcm80-214941
BCG-Five-Practices-of-Operational-Risk-Leaders-Oct-2016_tcm80-214941BCG-Five-Practices-of-Operational-Risk-Leaders-Oct-2016_tcm80-214941
BCG-Five-Practices-of-Operational-Risk-Leaders-Oct-2016_tcm80-214941
 
Risk Analysis & Risk Management
Risk Analysis & Risk ManagementRisk Analysis & Risk Management
Risk Analysis & Risk Management
 
HAZARD ANALYSES
HAZARD ANALYSESHAZARD ANALYSES
HAZARD ANALYSES
 
Financial Fitness August 2015
Financial Fitness August 2015Financial Fitness August 2015
Financial Fitness August 2015
 
2015 Tackling This Year's Audit Hot Spots
2015 Tackling This Year's Audit Hot Spots2015 Tackling This Year's Audit Hot Spots
2015 Tackling This Year's Audit Hot Spots
 
Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...
Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...
Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...
 
An introduction to finance
An introduction to financeAn introduction to finance
An introduction to finance
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1
 
Avoid organizationalmistakes by innovative thinking
Avoid organizationalmistakes by innovative thinkingAvoid organizationalmistakes by innovative thinking
Avoid organizationalmistakes by innovative thinking
 
Enterprise Risk Management: Minimizing Exposure, Fostering Innovation and Acc...
Enterprise Risk Management: Minimizing Exposure, Fostering Innovation and Acc...Enterprise Risk Management: Minimizing Exposure, Fostering Innovation and Acc...
Enterprise Risk Management: Minimizing Exposure, Fostering Innovation and Acc...
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditors
 
Relationship Forecasting
Relationship ForecastingRelationship Forecasting
Relationship Forecasting
 

Último

TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024Adnet Communications
 
Chapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditChapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditNhtLNguyn9
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Peter Ward
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Riya Pathan
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...ssuserf63bd7
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCRashishs7044
 
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Doge Mining Website
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Kirill Klimov
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCRashishs7044
 
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607dollysharma2066
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Servicecallgirls2057
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfShashank Mehta
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCRashishs7044
 
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptxFinancial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptxsaniyaimamuddin
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMVoces Mineras
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Seta Wicaksana
 
8447779800, Low rate Call girls in Dwarka mor Delhi NCR
8447779800, Low rate Call girls in Dwarka mor Delhi NCR8447779800, Low rate Call girls in Dwarka mor Delhi NCR
8447779800, Low rate Call girls in Dwarka mor Delhi NCRashishs7044
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfKhaled Al Awadi
 

Último (20)

TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024
 
Chapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditChapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal audit
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...
 
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
 
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR
 
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
 
Call Us ➥9319373153▻Call Girls In North Goa
Call Us ➥9319373153▻Call Girls In North GoaCall Us ➥9319373153▻Call Girls In North Goa
Call Us ➥9319373153▻Call Girls In North Goa
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdf
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
 
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptxFinancial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQM
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...
 
8447779800, Low rate Call girls in Dwarka mor Delhi NCR
8447779800, Low rate Call girls in Dwarka mor Delhi NCR8447779800, Low rate Call girls in Dwarka mor Delhi NCR
8447779800, Low rate Call girls in Dwarka mor Delhi NCR
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
 

5 steps for better risk assessment

  • 1. 1 5 Steps for Better Risk Assessments +1 617 530 1210 | logicmanager.com | info@logicmanager.com ©LogicManager, Inc.
  • 2. 1 Simply discussing high-level concerns with senior executives may have been sufficient 2-5 years ago, but growing expectations from all angles—the Board of Directors, regulators, investors, consumers, and more— mean risk assessments must directly increase business value and deliver more actionable results. The reason expectations are rising is the See-Through Economy. This is what we call the current fast-paced aged of transparency we’re living in right now. With the click of a button, consumers can share their positive and negative experiences with a brand, which has put reputational risk higher up on the priority ladder. The See-Through Economy isn’t all doom and gloom though. There’s a way to leverage our increased level of information access to anticipate and meet stakeholder expectations. It all starts with better risk assessments. In this eBook, we’ll show you how to make your assessments comparable across departments and levels, as well as how to aggregate the information in a way that adds value to your business. Introduction Table of Contents 2 Prioritizing Activities 3 5 Best Practices 4 Adopt a Root-Cause Approach 5 Root-Cause Categories 6 Root-Cause Example 7 Standardize Assessment Scale and Criteria 8 Link Risks to Controls 9 Connect Risks to Strategic Goals 10 Embed ERM in Everyday Activities 11 These 5 Steps in Action
  • 3. 2 Prioritizing Activities is the Key At its core, the goal of risk management is to make better decisions to add business value. Better decision- making requires transparency into all risk information gathered at your organization. It also requires the ability to prioritize that information by assessing the risks related to organizational goals, resources, controls, and monitoring. Business value means looking at where you spend time and money so you can prioritize resources and resolve confusing or contentious issues. Nevertheless, controls, tests, tasks, and resources are very expensive. Risk assessments add priority to these activities, helping you understand how critical each one is. If you are not prioritizing the right activities, then you’ll likely see these consequences: Lack of Continuity Changes in the organization or development of new business lines may result in new activities even though existing ones are more effective. Lack of Coordination Often, activities apply to multiple risks or commitments across functional lines. The inability to formally tie activities to risk or commitments hinders inter-functional coordination, resulting in business silos and duplication of effort. Activity Fatigue Staff may ignore certain activities because of a lack of time to assess them. Wasted Resources If a risk changes, most organizations have no way of knowing how (or even if) these changes will affect their resources and activities. Activity Obsolescence In a changing environment, there is no effective way to know when activities no longer apply. Lack of Prioritization Picking activities to focus on is likely to be on an ad hoc basis and subject to the whims of current staff.
  • 4. 3 1 Adopt a Root-Cause Approach 2 3 5 Best Practices Throughout the remainder of this eBook, we will walk through these 5 best practices: Standardize Assessment Scale and Criteria 4 Connect Risks to Strategic Goals 5 Embed ERM in Everyday Activities Link Risks to Controls By adopting a standardized and objective best-practice risk assessment methodology, you can start to identify the overlapping activities that crowd your program, prioritize actions, and help your organization make more informed decisions.
  • 5. 4 1. Adopt a Root-Cause Approach The most effective way to collect risk data is to identify risk by root cause. Root cause tells us why an event occurs, which provides information about what triggers a loss and where an organization is vulnerable. Using root-cause categories provides meaningful context as to what steps to take to mitigate risk. However, getting people to link root causes with outcomes is often easier said than done. Typically, executive management thinks in terms of events to avoid or achieve, depending on the effects of such events. Moreover, they want to be presented information about the events or outcomes they care about. You, as a risk manager, need to understand the root cause in order to ensure proper mitigating activities are taking place. Outcome 1 Outcome 2 Root Cause 1 Root Cause 2 Root Cause 3 Mitigation Activity 1 Mitigation Activity 2 Mitigation Activity 3 Most assessments jump to the “what can go wrong” aspect of risk identification. The “what could go wrong” is often a detailed effect or symptom. Understanding the root cause requires generalizing the problem at a higher level and identifying the drivers of the risk. You can begin to implement this root-cause approach in a facilitated session. You can also use a system to prompt assessors about the root causes of their concerns, which helps implement a solution on an enterprise scale. As you work with process owners, begin to build your root-cause risk library, and try to reuse root-cause risks already identified by other business areas to help identify systemic risks throughout the organization, as well as areas of upstream and downstream dependencies.
  • 6. 5 Root-Cause Categories Many risk managers find it hard to engage multiple departments because they’re unfamiliar with risk management as a discipline and therefore aren’t sure how to communicate about it. As you can imagine, talking about the same root causes, outcomes, or mitigations in different ways can cause unnecessary road blocks. Consider using these root-cause categories to build your risk library on. External Risk caused by outside people, environment, and other circumstances. Examples: Fluctuations in economic markets, weather-related hazards or disasters, lack of public infrastructure People Risks involving people who work for the organization. Examples: Misuse of confidential information, willful noncompliance with policies, lack of necessary skill sets Process Risk arising from the organization’s execution of business operations. Examples: Inadequate budgeting, missing documentation, lack of policies or procedures Relationships Risk caused by the organization’s connection with third-parties. Examples: Contracts are not reviewed properly, inadequate security protocols on third-party relationships Systems Risks associated with IT processes, security, data, or information assets Examples: Data is inaccessible, failure to adopt new technology trends, inadequate system maintenance
  • 7. 6 Root-Cause Example To demonstrate the value of root causes, let’s look at a brief example: fraud. Say you have two people, an employee and a contractor, sitting side-by-side in the same room. One of them is committing fraud. Your effective mitigation activity (if the employee is the culprit) will be getting HR involved. Your effective mitigation activity (if the contractor is the culprit) will be dealing with the third party. What if it is a system or process that has a flaw that is allowing fraudulent activities to happen? It could be a matter of good people in a bad situation. Knowing the source of the risk is fundamental to your solution. Outcome Fraud Mitigation Activities HR Mitigation Activities Vendor Mitigation Activities IT Potential Root Cause Employee Potential Root Cause Contractor Potential Root Cause System Failure
  • 8. 7 2. Standardize Assessment Scale and Criteria After you’ve created a system for labeling or identifying risk, you can move on to assessing the potential impact of each risk. A lot of organizations use a high-medium-low scale to assess their risks, but this actually isn’t best practice. High-medium-and low scales make it difficult and time-consuming to quantify, aggregate, and objectively rank information. With only three options from employees to choose from, they’ll likely feel conflicted about which to one to choose. Many employees may even feel compelled to write in a medium/high option. In reality, best practice favors a 1-10 scale, with 10 having the most unfavorable consequences to the organization. Using a 1-10 scale makes calculating the residual index score of a risk more straight forward. Giving employees more flexibility in their assessments will increase accuracy, and more confidence when determining what your top risks really are. / 10 = 16.2 Residual Risk Score
  • 9. 8 How do you determine the priority of a SOX control vs. an operational policy vs. an insurance review? You need defined evaluation criteria for these scales. Often, one person’s 9 is another person’s 7. You should provide a clear, unambiguous definition for each of the 5 buckets. The key is to express severity in both quantitative and qualitative terms (such as dimensions of finance, legality, operations, regulations, strategy, etc.) in a standardized way. Each bucket should have a variation of these themes applicable to each level of severity. Only one of the criteria listed for an impact level has to be met in order to rate a risk factor at that level. For example, if an identified risk factor prevents the organization from achieving its strategic plan, rate the impact risk factor at the 9-10 level regardless if the risk factor has only a perceived minimal negative impact on sales. Although a variety of assessment criteria is used, all categories should be on a 1-10 scale and calibrated, meaning the description of a 7 (even if described differently in other risk assessment criteria) has the same meaning of severity. This allows the aggregation of assessments to provide a holistic view of risk. • Financial: Negative impact on net income – over $20 million • Financial: Catastrophic impact on financial statements (e.g., critical contractual ratios are no longer met) • Operational: Long-term impairment of critical functions make the organization vulnerable to forced sale of merger • Regulatory: Regulatory agencies seize control of assets or are granted absolute decision-making authority • Financial: Negative impact on net income – $15 million to $20 million • Financial: Alternative financing (debt), sale or restructuring of the organization could be required • Operational: Inability to remain competitive (e.g., lagging customer service, operational inefficiencies) • Regulatory: Regulatory penalties are required 7 - 8 Serious 9 - 10 Major 1 – 2 Insignificant • Financial • Legal • Operational • Regulatory • Strategic 3 – 4 Minor • Financial • Legal • Operational • Regulatory • Strategic 5 – 6 Moderate • Financial • Legal • Operational • Regulatory • Strategic 7 – 8 Serious • Financial • Legal • Operational • Regulatory • Strategic 9 – 10 Major • Financial • Legal • Operational • Regulatory • Strategic
  • 10. 9 3. Link Risks to Controls Once you have identified the source of risks and assessed them objectively, you need to know how controls are actually covering risks. Often, the knowledge of how the risk is mitigated is only a conversational explanation from the business area in facilitated sessions. This is sufficient for some risks, but you want to make sure for a certain subset of your top risks that these mitigation activities are adequate. Maintaining a system where risks are directly linked to their controls helps you maintain better governance over mitigation activities. With such a system, you have a valuable record of when and why different controls were created, as well as audit-able proof your business is working to manage risk.
  • 11. 10 4. Connect Risks to Strategic Goals Getting an accurate pulse on strategic imperatives is challenging because these goals are cross functional in nature. And while they are extremely useful for the board and senior executives, they are impossible to act upon without operationalizing them (breaking them down into root-cause, silo-specific activities within business areas), and this is where risk management plays a role. 1. Link Risks to Goals You need to connect risks to corporate goals. You can get these strategic goals from the strategic plans and other places within your organization. The next step is to identify a number of root-cause risks that could threaten to derail this corporate goal. For example, Customer Satisfaction is a strategic goal. Determine which root-cause risks in your risk register will impact the goal of Customer Satisfaction. 2. Connect Goals and Risks to Business Areas Next, work with business areas to identify which strategic goals they have an impact on and identify and assess, as we discussed earlier, which of the risks you identified are applicable to their business area. Process Strategic Imperative Activity Process Process Activity Activity Activity
  • 12. 11 3. Make Presentations Relevant and Actionable The traditional way of presenting risks to the board and senior executives is the “top 10 risks” method. A more valuable approach is showing the top risks above a certain cut-level, or tolerance, for each strategic goal. By connecting root-cause indicators from business areas to events and goals, you can accomplish two things: first, present information so the board recognizes and understands what business areas contribute to that concern or objective. Second, know the root-cause issues of the goal or objective, which makes it all actionable. If you follow the best practices we have covered so far in this presentation, you can say, “Here are our goals, here are the biggest risks to these goals, and here are all of the related resources and activities across the organization to mitigate these risks and achieve the desired level of performance.” This type of presentation is actionable because if you successfully mitigate your top risks, the organization will be able to achieve a measurable milestone. On the other hand, even if you effectively mitigated all top 10 risks, you might not move your organization forward because not enough risks in any one area were mitigated to reach critical mass to move your organization toward its goal. Process Transactions Transactions are improperly valued 6 Category Factor Indicator Impact Likelihood Assurance Inherent Index Residual Index 68 36 28.8 Likelihood Impact 1-2 3-4 5-6 7-8 9-10 Color indicates Assurance scores where 1 is the most effective Strategic Goal: Cash Flow Predictability
  • 13. 12 5. Embed ERM in Everyday Activities At the end of the day, better risk assessments can only be fostered by engagement, and this is the hardest part. The good news is, when it comes to business, people love success and efficiency. So be your own business case! Start to use your own experience and successes to get others to see the value involved. Risk is in everyone’s job responsibilities. The more integrated ERM is in everyone’s job descriptions, the easier risk assessments will become and the more valuable they will be, but this may take time. Start integrating ERM into everyone’s day-to-day activities by starting with your own area. By applying an ERM approach to your own functional area, you can prioritize existing activities, manage change, objectify conclusions to enable better issue escalation, and gain a panoramic view of disparate controls and tests. All of this will help you streamline and add value to current activities, enabling you to spend less time on check-the-box compliance or insurance efforts and more time preventing loss events and identifying emerging risks.
  • 14. 13 These 5 Steps in Action As an example, let’s look at an example most companies face: professional liability insurance applications. Insurance companies require seemingly innocuous assertions about the management of your organization’s operations and governance. Among other activities they seek information on is operational controls, management of content and privacy exposures, computer systems controls, computer system access protection, data back-up procedures, and data encryption procedures. Did you ever notice that they are actually doing a risk assessment of your organization? They rely upon your representations and answers for their assessment of your organization’s risk! The problem is you’re making representations on cross-functional issues dependent on others. With a centralized repository of risks and the activities they are connected to, as we discussed earlier, you can identify the root- cause risk and automatically know what controls exist across the enterprise. IT: Access Rights Policy Mitigation Activities Legal: Privacy Policy Review HR: HIPAA Compliance Vendor Management: Verification of Non-Contracted Employees Outcome Content management and privacy exposure liability Potential Root Cause Category: Process Risk: Transactions are not clearly supported by technical or legal pronouncements Impact: 6 Likelihood: 5 Assurance: 3 Here we have typical professional liability loss that everybody is trying to prevent in 100 different ways. We can choose one potential root cause from the process category for instance, and define the risk further. We also give this risk a score based on impact, likelihood, and assurance to get an idea of its criticality. And we have a nice list of the activities occurring across the organization to control the risk. All in all, we have a comprehensive and accurate way to answer the questions posed by our insurers.
  • 15. 14 AUDIT MANAGEMENT BUSINESS CONTINUITY & DR COMPLIANCE MANAGEMENT REQUEST A DEMO INCIDENT MANAGEMENT ENTERPRISE RISK MANAGEMENT FINANCIAL REPORTING (SOX, MAR) POLICY MANAGEMENT VENDOR MANAGEMENT IT GOVERNANCE & SECURITY Build Better Risk Assessments with LogicManager There’salotgoingoninthiseBook.Buthavenofear!ThemostsuccessfulcompanieswiththebestERMprograms takeitonestepatatime. Manycompanies,however,finditeasiertoimplementthesefivestepswiththehelpofERMsoftware.Request ademonstrationtoseehowLogicManagercanhelpyoucommunicateacrossdepartments,collectactionable information,andreportonyoursuccess.Notreadyforademobutwantmoreinformationhowtoimprove? DownloadoureBook,“5CharacteristicsoftheBestERMPrograms.” +1 617 530 1210 | logicmanager.com | info@logicmanager.com ©LogicManager, Inc. GET NEW EBOOK