Chapter 3- Risk Assessment

The theory of constraints adopts the common idiom “a chain is only as strong as its
weakest link.” This means that organizations, programs, processes, and even departments are
vulnerable because the weakest element can always damage, break, or at the very least
adversely affect the outcome.
There are many types of risks, ranging from strategic, operational, compliance, reporting,
and
IT related. Risk and CSAs are an effective mechanism to involve those who have ownership for
risks and controls in the organization. By documenting processes, participants, and influencing
variables, management can be better prepared to allocate resources appropriately, set priorities,
establish accountabilities, and institute monitoring procedures.

Operational Changes
• Technological Advances
• Globalization
• Outsourcing (domestic and offshore)
• Complexities in financial markets
• Demographics shifts

Internal Auditors are uniquely positioned to help management and their boards of directors,
and advocate for other stakeholders that don’t have direct access to daily business events, but
whose interests must be protected as well.

A risk assessment is the process of identifying, measuring, and analyzing risks relevant
to a program or process. This assessment is systematic, iterative, and subject to both
quantitative and qualitative inputs and factors.
A key aspect of any risk assessment is the identification of the relevant risks. This
takes the form
of a list of risks.

Type Description

• Inability to produce as many units as required

• Process generating excessive amounts of waste
Capacity • Producing too many defective parts (i.e., error rate)
• Delivering ordered goods or services past the promised date
• Inability to provide high quality service to every customer.

Failing to maintain beneficial relationships with customers

• Computer system's inability to support the operating unit's needs
• Manufacturing lines being unable to keep pace with sales growth
Strategic
• Lack of funding to finance business expansion
• Knowledge drain due to employee turnover
• Failure to respond to changing customer preferences

Failure to meet external requirements (e.g., laws and regulationhs)

• Failure to meet internal standard operating procedure (SOP)
Compliance
requirements
• Failure to meet combined requirements (e.g., contracts)

Energy supply disruption

Damage from fire, water, or natural disasters (e.g., floods,
Natural earthquakes, hurricanes, and tornadoes)
environment Inability to secure needed resources (e.g., water and minerals)
Dependency on carbon-based sources of energy
Business interruption caused by disease

Changes in legislation or regulation due to government changees

Political
• Social unrest triggered by changes in government
Internal constraints typically include
Equipment. The types of equipment available and the ways they are used limit the ability of the
process to produce more high quality goods and deliver services.
People. Lack of skilled and motivated workers limits the productive capacity of any process.
Attitudes and other mental models (e.g., feeling defeated, victimized, or hopeless) embraced by
workers can lead to behaviors that become a constraint on the process.
Policies. Written and unwritten policies can prevent the process from producing more of higher
quality goods and services.

Measurement of Risks
After risks have been identified, they must be measured. The measurement process can
be either subjective or quantitative, and either driven by facts or not.
Subjective measures are driven by the participants’ experience and intuition about the
risks involved.
Quantitative measures are data-driven (impact and likelihood of risk in form of
measurement).

The Risk Matrix

The risk matrix is a widely used and highly effective tool to record and analyze the
objectives, risks, and controls in the program or process that is being audited as defined in the
scope definition.
The risk matrix is an essential ingredient when conducting risk-based audits, as they provide a
means to capture and analyze these items.

The conduct of a risk assessment means that we should look for weaknesses, sometimes
referred to as vulnerabilities, that would make an asset susceptible to damage or loss from the
hazard. Vulnerability is the “degree to which people, property, resources, systems, and
cultural, economic, environmental, and social activity is susceptible to harm, degradation, or
destruction on being exposed to a hostile agent or factor.”

Risk Based Identification Scopes

Objectives based. Identify events that may hinder the ability of the organization to achieve its
objectives partially or completely. In this case, brainstorming and the Adelphi method may be
useful techniques to collect the relevant information and assess the impact of these events
Scenario based. Create different scenarios or alternative ways of achieving objectives and
determine how forces interact. A useful approach is to identify triggers that can start–stop
different scenarios from occurring.
For either of these two approaches, management must consider the external and internal factors
that can affect event occurrence:
External. For example, economic, business, natural environment, political, social, and
technological factors.
Internal. Examples include infrastructure, personnel, processes, and technology.

Events can have either a positive or negative impact representing risks and opportunities. These
developments should be incorporated into the objective setting process and risk assessment.
Common-risk checking. Use a prefabricated list of common risks in your industry or area of
scope. This technique is explained in more detail below.
Risk charting. Combination of above approaches consists of listing resources at risk and the
threats to those resources. Identify the risk factors and the consequences.
The Federal Emergency Management Agency provides the Mapping Information Platform
and the Risk MAP (Mapping, Assessment, and Planning) to help organizations by delivering data
that increases public awareness and leads to action to reduce the risk to property and life.*
The US Geological Service (USGS) has a great deal of seismic information to help
organizations identify their vulnerabilities from fault lines, and incident history as a possible
gauge to future activity through probability analysis based on location, time span, and radius
from a designated location.
Environmental Protection Agency (EPA) provides information and assistance regarding
harmful effects to human health or to ecological systems caused by exposure to any physical,
chemical, or biological entity that can result in an adverse response (called stressors).

Risk Mitigation
A strategy to prepare for and lessen the effects of threats faced by a business.
Comparable to risk reduction, risk mitigation takes steps to reduce the negative effects of
threats and disasters on business continuity.

Control Self-Assessments (CSAs) help bridge this gap by requiring process owners to
complete questionnaires and forms that identify major activities, objectives, risks, controls, key
personnel, and challenges within their areas. This process encourages managers to evaluate the
design and effectiveness of their controls.

Business Activities and their Risk Implications

Assemble to order. This is a type of production system where the material is prepared so it can
be assembled quickly upon receipt of the customer request and is usually customizable to a
certain degree. In general, the parts are already manufactured, but won’t be assembled until the
order is received. This strategy is between two other common manufacturing strategies: make to
stock (MTS) and make to order (MTO). In MTS, products are manufactured in advance, while in
MTO, the products are produced after the order is received.
MTO. This methodology involves manufacturing only after a customer’s order is received, so the
process begins when demand occurs. This is a pull-type supply chain operation because
manufacturing is performed when demand is confirmed. In other words, it is being pulled by
demand.
MTS. When using this methodology, products are manufactured based on demand forecasts.
Since the accuracy of the forecasts will prevent excess inventory on one end, and minimize the
opportunity loss due to stockouts on the other, the issue for organizations is how to forecast
demands accurately.
Bottleneck. This term refers to a point in a process where there is limited productive capacity
and the flow slows down. This constriction can slow or even stop the flow of work until some
intervention occurs, or time passes allowing items to move through, while other incoming items
continue to accumulate.
Collaborative inventory management. Consists of the cooperation between a buyer and a
supplier to improve stock availability and reduce costs. This is often accomplished by sharing
forecast information and using a single plan.
Consignment. This is an inventory management and replenishment method where a buyer only
pays for the products held at a third party location when the items have been sold to the
customer. Unsold products can usually be returned to the supplier as well.
Cycle time. Refers to the reduction in the time and related costs needed for a product or service
to move through part or all of a supply chain. Internal auditors focused on financial and many
compliance risks have paid little attention to this topic.
Distribution center (DC) bypass or drop ship. This activity refers to circumventing the DC or
entire distribution channel by routing freight directly to its destination. In other words, move
products from the manufacturer directly to the retailer or end user without going through the
typical distribution channels.
Electronic data interchange (EDI). These consist of standardized sets of data transmitted
between various business partners during business transactions. By using the same standard,
two companies can exchange documents and reduce the reliance on paper, and reduce human
interaction saving time and money.
Inventory. Stock of raw materials, semifinished goods (e.g., work in process), or finished
material held to protect the organization against unpredictable, uncertain, or erratic supply or
demand with the objective of avoiding stock-out situations.

Future Challenges and Risk Implications

Increased outsourcing. This trend, which started getting widespread attention in the 1980s,
accelerated in the 1990s, became commonplace in the 2000s and continues to grow into the
2010s. Initially, it was touted as a great mechanism to reduce expenses, boost productivity and
efficiency, and free the organization, so it could focus on its core activities.
Global sourcing. Whereas most companies used to work with, and obtain their raw and
semifinished goods from local suppliers, it is commonplace now for organizations to search the
globe for suppliers. This is driven by lower prices and the related savings, but also because the
quality of foreign-sourced inputs has increased in most cases.
Margin compression. As competition has expanded to a more global environment, and some of
the new competitors benefit from lower costs and even subsidies and protectionist practices in
some countries, many organizations struggle to remain competitive under such conditions.
Technology. The number and scale of technological changes over the past two decades is
immense. This includes, but is certainly not limited to, ERP systems with built-in supply chain
management, product life cycle management, customer relationship management, supplier
relationship management, document management, and project management functionality.
Growth in Asia and other developing markets. The increasing purchasing power and wealth
creation in emerging markets is opening new opportunities that many organizations cannot miss.
Improved customer analytics. In the past, organizations focused on mass production to drive
down unit costs.
Data capture and transfer capabilities. Improvements in data storage, lowering the costs
dramatically over the past three decades, improvements in networking capabilities (local area
network
[LAN], wide area network [WAN]) and the internet, and enhancements in wireless
communications, such as radio frequency identification (RFID), make it increasingly easy and
economical for organizations to obtain, analyze, and disseminate information real time or near
real time. This allows organizations to know what is happening throughout their organizations
and correct issues promptly.
Environmental initiatives. Ecological considerations are increasingly becoming a key concern
for organizations. Whether it is the sourcing of materials locally, sourcing them through fair-trade
practices, reducing the amount of inputs and packaging used, lowering the amount of waste
generated, manufacturing goods using recycled components, or producing items from reused
ingredients, environmental considerations are affecting how organizations are perceived and in
some cases even steering buying decisions.
Government involvement. While the degree of acceptance of government involvement varies
by country and changes over time, governments in general are increasingly becoming more
involved in the support of private sector activities.
Geo-political risks. The rise of extremism around the world threatens organizations’ abilities to
operate freely around the world.
Corruption. Organizations, indeed entire economies, continue to suffer from the scourge of
corruption. Defined as dishonest or unethical conduct by a person entrusted with a position of
authority, often to acquire personal benefit, it includes many activities including bribery and
embezzlement, though it may also involve practices that are legal in many countries, such as
blatant favoritism and nepotism, discrimination, and largesse.