Navigation:


DISCUSSIONS > IIA GENERAL DISCUSSION AREA [ REFRESH ]
Thread Title: Risk map
Created On Tuesday June 12, 2012 1:46 AM
  Risk map
  Risk map
  Risk map


CIA


Posts: 45
Joined: May 2003

Tuesday June 12, 2012 1:46 AM

User is offline View thread in raw text format

Hello,
risk map consists of liklihood and impact, can I consider the total score of risk factor as the liklihood, and if so how can I determine the impact so I could prepare the risk map in preparing the audit plan,

Reply
Quote
Top
Bottom



Yuri


Posts: 155
Joined: Sep 2010

Friday July 06, 2012 9:26 AM

User is offline View thread in raw text format

Impact could be determined as potential damage, lost profit or value (in $$), lost reputation (high/medium/low impact) and so on.

Reply
Quote
Top
Bottom



Mark R. Simmons


Posts: 133
Joined: Nov 2003

Wednesday August 22, 2012 4:38 PM

User is offline View users profile View thread in raw text format



<< ...how can I determine the impact so I could prepare the risk map in preparing the audit plan, >>


Just so we are on the same page:

Likelihood is the probability a critical event will occur.
Impact is the adverse result of a critical event's occurance.
Risk Score or Risk Level is the combined assessment of "Likelihood" and "Impact"

"High", "Medium" and "Low" are very subjective and mean little unless those terms are quantified somehow in an agreed upon way among all concerned parties.

A better way to define "Likelihood" is to assign values to a critical event's rate of occurance (for example: 5=likely to occur once per day; 4=likely to occur once per week; 3=likely to occur once per month; etc.)

A better way to define "Impact" is to assign values to a critical event's outcome. For example, if the risk event has a direct financial impact: 5=Loss in excess of $10M; 4=Loss between $5M and $10M; 3=Loss between $1M and $5M; etc.); or, if the risk event has an operational impact: 5=Unable to continue operations; 4=Operations interrupted for 3 months; 3=Operations interrupted for one day; etc. Depending on the operational risk (e.g., reputational loss forces the conversation about "what does this really mean" to the continued viability of the entity), the impact might be expressed in either operational or financial terms.

The "Risk Score" for each objective/risk of the entity being audited can be determined and aggregated to yield a total "Risk Score" for the entity. The individual "likelihood" and "impact" scores can be graphed in a scatter diagram to provide a visual heat map of the entity's risks.

Another key dimension of risk is the velocity at which the risk can materialize - does it build over time or come all at once (e.g., can the actions of an investment trader bring a banking house down in days or hours or even minutes). This third dimension also can be quantified and included in the risk assessment.

Edited: Thursday August 23, 2012 at 9:25 AM by Mark R. Simmons

Reply
Quote
Top
Bottom

DISCUSSIONS > IIA GENERAL DISCUSSION AREA [ REFRESH ]
The Institute of Internal Auditors • 247 Maitland Avenue Altamonte Springs, FL. 32701-4201 USA
+1-407-937-1100 • FAX +1-407-937-1101 • www.theiia.org