control, and governance
How Do I ... Gauge Business Risk
An entity-level risk assessment provides management the basis from which to make a range of decisions, such as determining internal audit coverage, insurance coverage, and overall risk tolerance. By recognizing and appreciating the potential impact of entitywide risks, an organization can select responses that align with its business objectives and risk appetite. Plus, findings from the assessment can be used for establishing the scope of internal audits, audit objectives, covered areas, internal control testing, or assistance with the independent financial auditors' work.
FOCUSING ON RISK
Entity risk assessment typically consists of a general, top-down process that focuses first on the most crucial entity-level risks — those risks posing the greatest threats to the organization. Each risk is assessed according to its likelihood and potential impact, which in turn helps determine risk severity and priority. Management can use this information to drill down to the risks affecting significant processes for the company's most crucial activities. Examples of entity-level risks include:
Risk assessment is not a static activity: Internal and external events throughout the year present new risks and alter the likelihood and impact of previously identified risks.
Risk assessment is essential for implementing any set of risk management and response efforts. The Committee of Sponsoring Organizations of the Treadway Commission's Enterprise Risk Management — Integrated Framework (COSO ERM), for example, includes Risk Assessment as one of its eight primary components. The remaining components are: Internal Environment, Objective Setting, Event Identification, Risk Response, Control Activities, Information and Communication, and Monitoring.
Risk assessment nurtures a variety of residual benefits. It enables organizations to evaluate strategic decisions based on their risk appetite, or the degree of risk they're willing to accept. Any number of strategies might achieve a corporate objective — assessing the risks associated with each option enables the organization to select the most appropriate strategy.
Effective risk assessment helps organizations become more responsive to change; reduces the chance of adverse, unreported events; and enhances transparency. By continually assessing risk, a company can not just survive, but thrive.
Adapted from "Gauging Business Risk" by Alyssa G. Martin (Internal Auditor, "Back to Basics," June 2006)
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.