Risk (i.e., variability) is present when events occur that impact an organization accomplishing its objectives. An assessment of risk should drive the attention and effort of management, second line functions, and internal audit. While risk assessment is impossible to do perfectly – and difficult to do well – it is very easy to do poorly. It is past time for many to make changes to perform this critical task better.
Risk assessment can be improved so it isn’t done mindlessly or simplistically – and this can be accomplished without ridiculously complex models. Following are some suggestions to motivate auditors and risk managers to consider how they could improve their risk assessment.
1. Embrace diversity – reject forcing a square peg into a round hole.
Organizations need to approach risk assessment differently for different activities. Consider risks around: (a) rebate programs for sales of a commodity product, (b) expansion into a new geography, (c) a high-impact IT implementation, (d) impending turnover of high-knowledge employees, and (e) employee safety. It is not possible to define a single set of attributes that apply equally to the risks of all these situations or activities. Instead, design multiple risk assessment models for dissimilar activities, and then create a structure to integrate the output of these models into a whole.
2. Look beyond impact and likelihood.
We do not live in a two-dimensional world.While many like the simplicity of thinking only about impact and likelihood, looking to additional attributes to assess risk is worth the effort. My favorite additional attributes to consider are:
- velocity (how quickly could the risk manifest itself).
- complexity (how many tentacles does a risk have if it happens).
- adaptability (can the organization pivot quickly to respond to changes).
- recovery (how long it takes an organization to dig itself out from the impacts of a risk).
3. Use quantitative data properly.
Some gather available quantitative data, maybe compute a few averages, and drop numbers into a calculation model. While this looks “scientific”, it can be worse than a waste of time when the analysis is incomplete and the results are flawed. With quantitative data one must do more than gather a slice of historical data and run it through a predefined model. For useful results, additional effort is needed. For example: (a) confirm that the easily available data is the best data, (b) use ranges for data, not point estimates, (c) run scenario analyses with different assumptions, and (d) control for intercorrelation amongst data points. I have never seen a calculated risk score that didn’t have inherent inaccuracies or biases that could have been addressed.
4. Leverage quantitative data, but don’t forget the importance of your judgment.
Being a “data geek” is good for risk assessment and many argue to just “follow the data.” You should rely heavily on quantitative data, but judgment is a critical, if not the critical, component to risk assessment. Models and sophisticated tools need your judgment in their design and execution. Qualitative “data” that is difficult or inappropriate to quantify is often a prime component of risk assessment and needs to be guided by your judgment. Quantitative data and tools are fabulous input to risk assessment, but do not displace the need for your expert judgment.
5. Be honest with yourself and stakeholders.
Risk assessment incorporates so much expertise and judgment it is as much an art as science. Many have a strong bias to want to quantify everything and then expect to calculate risk scores to at least two places after the decimal point. Given the amount of judgment involved, it is almost impossible to precisely measure risk. It is a complex, multi-faceted, always changing, amorphous “thing.” An attempt to communicate your risk assessment of a complex topic through simple calculated numbers can give it an aura of precision that is not deserved. Instead, communicate to stakeholders using clear language to explain your analysis and conclusions as they would when discussing the organization’s objectives and performance. Save the numbers and charts for backup.
Assessing risks takes skill, and time to perfect that skill. Apply your business acumen. Make improvements to risk assessment in stages. It is better to get a partial improvement implemented, and implemented right, than trying to do it perfectly all at once (and failing).
This is not a complete discussion of best practices in risk assessment. Consider the suggestions made above as input. Give yourself license to experiment and make improvements, real improvements, over time. This is one of those topics where no one has all the answers.
Doug Anderson, CIA, CRMA, CMA, CPA, has focused on many aspects of assurance, risk management, finance, and accounting in his career. He has served as CAE Solutions Managing Director at The Institute of Internal Auditors, Inc; was an Assistant Professor of Accounting and Finance at Saginaw Valley State University; spent 22 years at The Dow Chemical Company primarily in internal audit including 9 years as CAE; and spent 10 years with PwC early in his career. Doug has held many volunteer positions at The IIA and has participated in COSO projects, ISO committees, and the PCAOB Standing Advisory Group.