Hello, risk map consists of liklihood and impact, can I consider the total score of risk factor as the liklihood, and if so how can I determine the impact so I could prepare the risk map in preparing the audit plan,
<< ...how can I determine the impact so I could prepare the risk map in preparing the audit plan, >>
Just so we are on the same page:
Likelihood is the probability a critical event will occur. Impact is the adverse result of a critical event's occurance. Risk Score or Risk Level is the combined assessment of "Likelihood" and "Impact"
"High", "Medium" and "Low" are very subjective and mean little unless those terms are quantified somehow in an agreed upon way among all concerned parties.
A better way to define "Likelihood" is to assign values to a critical event's rate of occurance (for example: 5=likely to occur once per day; 4=likely to occur once per week; 3=likely to occur once per month; etc.)
A better way to define "Impact" is to assign values to a critical event's outcome. For example, if the risk event has a direct financial impact: 5=Loss in excess of $10M; 4=Loss between $5M and $10M; 3=Loss between $1M and $5M; etc.); or, if the risk event has an operational impact: 5=Unable to continue operations; 4=Operations interrupted for 3 months; 3=Operations interrupted for one day; etc. Depending on the operational risk (e.g., reputational loss forces the conversation about "what does this really mean" to the continued viability of the entity), the impact might be expressed in either operational or financial terms.
The "Risk Score" for each objective/risk of the entity being audited can be determined and aggregated to yield a total "Risk Score" for the entity. The individual "likelihood" and "impact" scores can be graphed in a scatter diagram to provide a visual heat map of the entity's risks.
Another key dimension of risk is the velocity at which the risk can materialize - does it build over time or come all at once (e.g., can the actions of an investment trader bring a banking house down in days or hours or even minutes). This third dimension also can be quantified and included in the risk assessment.
Edited: Thursday August 23, 2012 at 9:25 AM by Mark R. Simmons