Part II: Risk Assessment
In the last post on this topic, we discussed the importance of controlling an environment in responding to and preventing risk. Another component of the COSO framework for fraud risk management is taking steps to assess your risk. All businesses experience risk, but it is important to determine risk so that you can identify a comfortable risk level that is appropriate for your business goals and available resources.
Enterprise Risk Management (ERM) is a process used by a business to manage risks and consequently achieve business goals. This process involves identifying fraud risk, assessing its impact on the company, and determining an appropriate response. This process is typically conducted or managed by the business’s board members, top managers, or internal audit functions.
1) Identify Risks: The process of identifying risks includes created a master list of risks organized by their financial, operational, strategic, compliance impact. At this stage managers take a broad view of all possible threats to understand the full universe of potential impact.
2) Develop Assessment Criteria: To cultivate and hone the world of risks that managers have identified the business must develop a standard set of criteria that can apply to all business units, functions, and projects. Companies often develop measures aimed at determining the likelihood, financial impact, vulnerability, and speed of onset for each risk. The plan can visually present itself in something as simple as 5-point scales in various categories.
3) Assess Risk: A business can assess each risk using qualitative and quantitative analysis. Qualitative analysis is typically easier to implement and doesn’t require financial benchmarks. This analysis includes techniques such as surveying, benchmarking, and scenario analysis. Qualitative of study often provides insight to issues beyond economic measurement including assessing vulnerability and impact of a fraud event on the company’s reputation.
Qualitative analysis typically follows qualitative study and is performed on risks that are deemed most important. This method requires assigning a numerical value to assess the impact and likelihood. This type of analysis can be more time-consuming and costlier but allows for cash flow and cost-benefit analysis. This method often includes benchmarking and predictive modeling.
4) Prioritize Risks: Once risks are identified and assessed, management’s next job is to prioritize those risks for an appropriate response. Threats are often organized under a hierarchy by business units, functions, and projects or by risk maps.
With these steps and analysis in place, companies are now ready to begin planning how to respond to risk appropriately. For more information on how to begin assessing your risks, contact Abacus CPAs, LLC at 417-823-7171 or www.abacuscpas.com. Better Guidance. Smarter Decisions.
Matt Clark, CPA, CIA