Impact and Likelihood are the most common risk metrics we use in our assessments. Until now, only a few internal audit departments have taken the next step to include other risk metrics like risk velocity. Among the many lessons we all learned from COVID-19, including risk velocity in our assessments, especially when considering emerging risks, is one of the most important updates we can make in our risk assessment methodology. To understand how we can apply risk velocity to our assessments, we can start by understanding the requirements detailed in The IIA Standards; then, we can take a practical approach for using this new metric in our risk assessments.
The primary standard that discusses risk assessments is Standard 2010 - Planning. The standard says, “the chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals.” The sub-point, 2010 A.1, gives us a bit more guidance saying, “the internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.”
So here is the guidance:
- We should base our plan on a risk assessment.
- Start with the organization’s goals.
- Perform the assessment at least once a year, but more frequently is better.
- Document the results and discuss with senior management and the board
The Standards don’t give us much to work with on the actual prioritizing process. In fact, we have to go to the glossary section of The Standards to find measurement guidance. The glossary defines risk as “The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.”
The Standards only provide a baseline for performing the job of an internal auditor. It’s our duty to go further than the minimum standards to be a value-adding partner to the organization.
To take the risk assessment to the next level, we can include factors beyond impact and likelihood, such as velocity. The idea behind velocity is to capture a time element in the risk measurement. Typically, this is seen as either Time to Cause or Time to Impact.
Velocity is the speed at which the risk travels over time. For example, take the spread of COVID-19. Time to Cause would measure the velocity of the virus passing from person to person, while Time to Impact is the velocity with which people get sick or when businesses are impacted. You could choose to focus on one or both of these measurements.
Now apply this idea to your risk assessment. Risk is calculated as impact and likelihood, but that risk also travels through an organization at a certain velocity. Let’s use a simple example like Inappropriate System Access as a risk and use the new metrics Time to Cause and Time to Impact. For the example below, we will assume all metrics use a 5-point scale where 1 = Low and 5 = High.
If you choose to incorporate risk velocity into your assessment, you will add a level of maturity to the risk discussion. Just by asking the questions: “When and how fast can this happen to us?” and “At what point will we feel what happened?” you will gain deeper insights into the risks that affect your organization. As the maturity of your risk assessment grows, so will your need for technology enablement. If you haven’t already invested in risk assessment technology, now is the time to start looking.