October 2011

Risk and the Butterfly
 

A new tool enables both internal auditors and management to better identify risk events as part of the organization’s risk analysis.

 

Eric Lavoie, CIA, CCSA, CA
Partner, Risk Management and Internal Audit
Lemieux Nolet

 

As more and more organizations implement formal enterprise risk management (ERM) processes, internal auditors face the challenge of evaluating the effectiveness of those processes and contributing to their improvement, as directed by IIA Standard 2120: Risk Management. Consequently, auditors need to rebalance their efforts from traditional risk-based auditing to focusing on management’s ERM process — specifically, to challenging management’s risk analysis. This risk analysis corresponds with the event identification, risk assessment, risk response, and control activity components of The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Enterprise Risk Management–Integrated Framework. Internal auditors need to master the art of risk analysis to bring value to their organization in its journey toward an effective and sustainable ERM process.

 

In practice, risk analysis is a paradox. On one end, some managers who are implementing risk management in their sector contend that the process comes naturally and can remain informal. On the other end, risk management becomes more complex and difficult to apply as organizations try to document a useful process. Whatever the belief, many organizations have failed to manage their risks without a formal risk management process, although having such a process in place is no guarantee that the effort will succeed. Adopting a “butterfly risk tool” can help internal auditors evaluate the effectiveness and contribute to the improvement of management’s ERM process.

 

ANALYZING RISK

Risk analysis is not an exact and objective science. Anyone can perform a risk analysis and generate a list of numerous risk items, according to his or her perceptions and definition of risk. But this list may not be useful and sufficient to demonstrate mastery of risks.

 

Typical pitfalls involved with event identification include:

  • Incomplete risk (i.e., source only, event only, or consequence only).
  • Irrelevant risk (i.e., not related to objectives or process scope).
  • Too general or generic risk (i.e., not sufficiently adapted to the specific context).
 

Examples include a broad risk category such as financial risk or a risk area such as supply chain risk, in which the risks still need to be identified.

  • Risk confused with the corresponding objective or asset to protect. Examples include protection of confidential data (objective) versus unauthorized access to confidential data (risk), or reputational risk (risk) versus what could go wrong and damage reputation (objective).
  • Risk factor considered as a risk. Although a risk factor, such as complexity, is not manageable, it is inherent and needs to be considered when assessing and responding to the risk.
  • A lack of control considered as the risk. Control will be addressed later in the evaluation process.
  • A past incident or an actual problem considered as the risk. Risk, by definition, is focused on future potential events. However, incidents and problems should be considered during risk assessment. Recalling a past incident or a known problem can contribute to identifying the risk that a similar incident could materialize in the future. Risk management is not about solving problems but anticipating and proactively responding to potential problems.
 

The concept of risk involves unavoidable gray zones. Typical event identification tools may be used, looking at risk from different angles such as through key questions, risk models, risk categories, and assets at risk. The gathered information then needs to be structured and documented to be useful for the remaining steps. This requires nuance and adaptation to the specific context. The substance of risk has to be extracted from the gray zones and clearly revealed under daylight.

 

That’s where the science of risk management also becomes an art: It requires the ability to see the overall picture and good writing skills to deliver a valuable and credible risk profile. This aspect has to be acknowledged and tackled with a rigorous approach by management (to implement ERM) and internal audit (to assess management’s ERM plan) because many risks are hidden in those gray areas. It also requires a holistic approach that considers interdependencies among risks while still considering significant risks distinctly.

 

A PRACTICAL TOOL

The COSO ERM framework “event identification” component addresses external and internal factors, risk/event categories, consideration of past events, and risk interdependencies. The “Butterfly Risk Tool,” below, is intended to clarify, complete, and integrate those related concepts to enrich management’s risk analysis and enable internal auditors to perform a robust ERM effectiveness evaluation. Underlying this tool is a broader paradigm that considers and formally documents the risk sources and consequences for each potential event. Applicable at first during event identification, it encompasses and brings value to risk assessment, risk response, and control activities. Auditors using the tool could gain ideas to better assess whether management’s event identification is complete and sufficiently detailed to provide value in the remaining phases of the risk management process.

Lavoie Butterfly Risk Tool
 

The image of a butterfly illustrates the paradigm’s two main dimensions: event identification and control activities. For event identification, the left wing refers to risk sources and the right wing to risk consequences. Risk sources include external and internal sources, risk factors, and risk indicators (e.g., past incidents, red flags, and near misses). Monitoring external and internal environments can enable management and auditors to identify new and emerging risks once typical inherent risks have been identified. Risk consequences consider types of impact and their potential extent and speed of realization. Many types of potential impacts need to be considered, including monetary, physical, informational, and loss of reputation and other intangible assets. Moreover, impact will vary depending on stakeholder scrutiny, powers, expectations, and sensibility.

 

For risk assessment, likelihood relates to the left side and impact relates to the right side. Risk response options of “reducing likelihood” and “avoiding risk” apply on the left wing; options of “mitigating impact” and “transferring/diversifying risk” apply on the right wing. Preventive and monitoring control activities apply on the left; mitigation and corrective controls on the right. Risk interdependencies appear on the left when the consequence of an upstream risk becomes a source of the risk under analysis. On the right, a consequence of the risk could become a source of another downstream risk. Another feature of the tool is the inherent application of a process view and of an “extended organization” perspective (i.e., consideration of key suppliers and outsourcers) at the junction of external and internal sources.

 

A prerequisite to applying the butterfly risk tool effectively is a clear and shared definition of its key underlying concepts (see “Applying the Butterfly Tool”). This example illustrates to what extent a risk should be identified to allow for effective risk management. The concept of risk can be viewed as a set of potential scenarios that could go wrong in a specific external and internal environment. A richer multisource and multiconsequence analysis might encompass more than one risk scenario within a specific risk, therefore requiring those different aspects to be considered in subsequent phases of the analysis. Alternatively, many potential scenarios might be split up into individual risks to be assessed separately. The example also highlights some interdependencies among risks. Moreover, it shows contextualized risk factors and indicators that should be considered during the assessment phase because they generally contribute to increased likelihood.

 

Internal auditors need to master these concepts and contribute to a common risk language. For example, they should be able to explain the difference between a risk and a risk factor, which are frequently confused in risk literature. They should understand that risk/impact mitigation is only one of many possible risk responses.

 

BENEFITS FOR RISK ANALYSIS

At first, the butterfly risk tool can be useful to management in preparing a complete risk event identification and during subsequent steps in the risk management process. It is not intended to be used by internal auditors to document systematically each risk in a risk profile, which would not be cost-effective; instead, auditors should use it as a mind frame for reviews and assessments of management’s risk event identification deliverable.

 

Risk Assessment
The butterfly tool facilitates risk measurement and can ensure the consistency and credibility of risk profiles. Moreover, it can enhance management and stakeholder “buy-in” of the risk assessment because sources and risk factors/indicators are considered collectively to assess likelihood, and consequences are considered collectively to assess impact. For example, when assessing the risk of infrastructure becoming unavailable, the extent and speed at which an outage would reach IT systems and workstations should be considered to measure its potential impact.

 

Risk Response Strategy
When residual risk exceeds risk tolerance, the butterfly tool ensures that all significant external and internal sources and consequences are being addressed by a risk response strategy. It helps to determine the appropriate risk response strategy, including options to reduce likelihood and mitigate impacts. The tool also can ensure that risk factors/indicators are considered to establish a relevant and feasible risk response strategy. In addition, it can help management target sectors responsible for action plans addressing both external and internal sources. In the examples depicted in the sidebar, the following sectors would be involved in an integrated risk response strategy:

 
  • Infrastructure and systems temporarily unavailable: IT, human resources, finance (purchasing), legal (contract design), and public relations (crisis management).
  • Decreased client satisfaction: top management (strategy), research and development (product development), order management, shipping, and complaint management.
 

Additionally, the butterfly tool demonstrates that if a risk event cannot be prevented from an external source, available options remain such as mitigating the impact or transferring a portion of the impact outside the organization. In the example of unavailable infrastructure, the mitigation strategy typically would consist of business continuity preparedness and readiness. The organization also could work with external IT outsourcers to reduce the likelihood through risk sharing and contractual incentives.

 

Finally, management can use the tool to prepare an influence diagram showing upstream risks from the left and downstream risks to the right. Upstream risks such as “lack of expertise” could be prioritized for risk response and action planning because of their leverage over other risks.

 

Control Activities
With the butterfly tool, control activities can be addressed better globally as a “portfolio” and by using a process view. The tool facilitates the integration of risk, risk response, and control activities. It also helps management and auditors understand the collective effect of a mix of preventive, monitoring, detective, corrective, and mitigation controls. In the infrastructure availability example, sound risk management of a potential system outage would result in a combination of actions, including implementing access controls, focused training, key IT expertise retention, business continuity, and crisis management.

 

TARGETING AND CONTROLS

Addressing significant sources and consequences to reduce their likelihood and mitigate their impact is a good start — but one additional dimension still needs to be considered. Risk management should target any risk area that would deserve greater attention such as a process, business unit, or system. For the risks addressed in “Applying the Butterfly Tool,” specific employee categories, IT systems, and client categories would be targeted for both risk response strategy and control activity design.

 

A risk paradigm must be maintained until the end of the risk analysis process. Applying systematic and widespread control activities rarely comes with cost-effective risk management. Controls need to be balanced with corresponding risk assessments. Consequently, higher risk areas would deserve priority for additional or more intensive control activities. Conversely, control activities should be eliminated or reduced in intensity for low risk areas. To address the lack of expertise risk, for example, the organization could identify key employees with high and rare expertise to participate in formal mentoring and knowledge-transfer programs. Preventive controls such as employee contract clauses, career planning, and personal conflict detection and mitigation would be intensified.

 

A MULTIFACETED APPROACH

Overall, the butterfly tool can help management better assess and prioritize risks as well as determine the most effective risk response and control strategy. Therefore, it can be used to evaluate to what extent the management’s risk analysis tools contribute to rich and complete risk profiles.

 

It also can enable internal auditors to perform a more effective ERM evaluation, recommend improvements, and better challenge and evaluate management’s risk and control self-assessments. Moreover, the approach can support auditors when they facilitate risk assessment workshops and when they train management in gaining a common language and understanding of risk and control concepts.

 

 
 

 

 

Risk and the butterfly en français?
L'auteur de cet article semble être un francophone. S'il existe une version en français de son article, j'aurais apprécié qu'un lien soit fait pour qu'on le trouve facilement.
Posted By: Gravel, Alain, CA, Ph.D.
2011-10-30 11:40 AM


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2012 IA Online Cover

CCH 2012-2

UCMC 2012 

 International Conference Boston 2012

 

GRC August 2012 

 

 Twitter 
 

facebook IAO 

IA APP