General Discussion Forums - Risk map

Guidance & Resources

Certification

Training

Research Foundation

Periodicals

Bookstore

Career Center

Chapters & Institutes

About The IIA

Membership

Navigation:

login

DISCUSSIONS > IIA GENERAL DISCUSSION AREA

Thread Title: Risk map
Created On Tuesday June 12, 2012 1:46 AM

Posts: 45
Joined: May 2003

Tuesday June 12, 2012 1:46 AM

User is offline

View thread in raw text format

Hello,
risk map consists of liklihood and impact, can I consider the total score of risk factor as the liklihood, and if so how can I determine the impact so I could prepare the risk map in preparing the audit plan,

Posts: 155
Joined: Sep 2010

Friday July 06, 2012 9:26 AM

User is offline

View thread in raw text format

Impact could be determined as potential damage, lost profit or value (in $$), lost reputation (high/medium/low impact) and so on.

Mark R. Simmons

Posts: 133
Joined: Nov 2003

Wednesday August 22, 2012 4:38 PM

User is offline

View thread in raw text format

<< ...how can I determine the impact so I could prepare the risk map in preparing the audit plan, >>

Just so we are on the same page:

Likelihood is the probability a critical event will occur.
Impact is the adverse result of a critical event's occurance.
Risk Score or Risk Level is the combined assessment of "Likelihood" and "Impact"

"High", "Medium" and "Low" are very subjective and mean little unless those terms are quantified somehow in an agreed upon way among all concerned parties.

A better way to define "Likelihood" is to assign values to a critical event's rate of occurance (for example: 5=likely to occur once per day; 4=likely to occur once per week; 3=likely to occur once per month; etc.)

A better way to define "Impact" is to assign values to a critical event's outcome. For example, if the risk event has a direct financial impact: 5=Loss in excess of $10M; 4=Loss between $5M and $10M; 3=Loss between $1M and $5M; etc.); or, if the risk event has an operational impact: 5=Unable to continue operations; 4=Operations interrupted for 3 months; 3=Operations interrupted for one day; etc. Depending on the operational risk (e.g., reputational loss forces the conversation about "what does this really mean" to the continued viability of the entity), the impact might be expressed in either operational or financial terms.

The "Risk Score" for each objective/risk of the entity being audited can be determined and aggregated to yield a total "Risk Score" for the entity. The individual "likelihood" and "impact" scores can be graphed in a scatter diagram to provide a visual heat map of the entity's risks.

Another key dimension of risk is the velocity at which the risk can materialize - does it build over time or come all at once (e.g., can the actions of an investment trader bring a banking house down in days or hours or even minutes). This third dimension also can be quantified and included in the risk assessment.

Edited: Thursday August 23, 2012 at 9:25 AM by Mark R. Simmons

DISCUSSIONS > IIA GENERAL DISCUSSION AREA

The Institute of Internal Auditors • 247 Maitland Avenue Altamonte Springs, FL. 32701-4201 USA
+1-407-937-1100 • FAX +1-407-937-1101 • www.theiia.org