A Third Factor in Risk Assessment
Transcript of A Third Factor in Risk Assessment
-
7/25/2019 A Third Factor in Risk Assessment
1/3
RI S VAI H
EDITED
BY JAMES
ROTH AND
DONALD
ESPERSEN
A
T0h'rd ar inRisk Assessmnt
The
FME
process adds
detection to
the
traditional
considerations
of
likelihoo
and
significance when
assessing operating
reliability
BY
TOMMASO
CAPURSO
ISKS
ARE USUALLY ASSESSED
in line with The IIA's nterna
tional
Standardsfor
he
Profes
sionalPractice flnternalAudit
ingaccording
to
their likelihood
and
significance
and
with
simple ratings
of
high,
moderate,
or low. This method
is
sufficient
for
most purposes,
but
a
more
rigorous process failure modes and
effects analysis (FMEA) is
worth
con-
sidering
in some
situations.
FMEA
emerged in the United States
around the middle of the 20th century.
It
was
first used in
several
advanced-
technology
areas, including the military
and the aeronautic, nuclea'r, and elec-
tronics
industries.
Today, it has
spread
to
the
automobile
industry
and,
to
a lesser
extent, many other areas. FMEA
was
designed
to
analyze
operating
reliability
qualitatively. It can also be used to help
decide
where to
apply limited resources
to achieve maximum risk reduction.
In addition to likelihood (L)
and
sig-
nificance (S), FMEA considers
detection
risk (D)
the likelihood that a
risk
event
will
not
be
detected in time to prevent real
damage. Each
of the
three factors
is
assessed
on a io-point
scale:
E
For
likelihood (or
frequency):
io
=
very
often; i
= rarely.
b
For
significance
(or severity): io
highiy
serious; i = imperceptible.
E
For the
probability
of
ack of
detection:
O
=
no
chance of being detected;
i
strong chance of being detected.
These three numbers
are then
multiplied
to
arrive
at
a risk
priority number (RPN)
ranging
from
i to
i,ooo. The RPNs within
a
portfolio
of
risks can help managers
decide where to allocate resources to reduce
risk to
the
desired
level
cost-effectively.
FMEA was recently used
in an audit
of
telecommunications network management
PRIORITIZING RISK
MANAGEMENT
ACTIONS
The objective of the
telecommunication
network management audit was to
eval
ate
management's problem-solving pr
cesses
and
identify
critical issues
to
impro
customer service. Before the audit, ma
agement had identified
i2
projects
improve the
network. The managers
ask
the auditors
for help in prioritizing the pr
jects, because their resources were limite
Because the projects were designed
reduce risks, the auditors decided
to
pe
form
a risk assessment. To
begin,
the aud
tors helped management identify
objectiv
and the
risks
to accomplishing those obje
tives.
They
identified io
manageme
objectives
and
six
macro
risks,
which
bro
down
into
36 micro risks.
To show the relationships among obje
tives, macro
and
micro risks, and projec
the auditors developed a matrix, a po
tion
ofwhich
is
shown in
the RiskMatri
on page
73.
Although helpful, the
mat
was
not
enough,
because a single ri
addressed by one project might be mo
important than several risks addressed
another project. A more precise
assessme
of the risks was
needed to help manag
ment
prioritize
the
projects.
The
audito
suggested
using
the
FMEA
approach, a
management agreed.
The first step was a two-hour FMI
training session given by the audito
to five
line
managers and
operating pe
ple. The internal audit department th
facilitated a series of four control se
assessment
(CSA)
workshops with th
group,
lasting three hours each.
For the
analysis,
each
micro
risk with
aproject-anX on the risk matrix-w
identified
as a
failure mode, or
wh
could go
wrong. Each of the IO9 failu
modes was
analyzed
using the
FM
-
7/25/2019 A Third Factor in Risk Assessment
2/3
RISK
WATCH
During the workshops, the
auditors asked
the
group how each failure mode would
be
detected, how significant the failure
would
be,
how likely
it
would be to
occur,
and how
likely
it
would be to be detected
in time
to prevent real damage. The resulting RPN
expressed the level
of each risk as
the
net-
work
was
currently functioning. This
was
not enough, however,
for management to
allocate resources. The
managers still
needed to know how much each risk could
be
reduced and at what
cost. For exam-
ple,
if a
failure mode
with an RPN of 8oo
can
only be reduced to 7
for
sx
while
a
failure
mode with RPN of 5 can
be
reduced to I5o
for the same cost, then
the
latter is
a better
risk-management decision.
To complete
the
analysis,
the
auditors
asked the
group to identify the causes of
each failure
mode and
develop
preventive,
detective,
and corrective action
plans to
address
them. The group also identified the
person in charge
of
each
plan, establish-
ing
accountability early.
Finally,
the
group
assessed the level of residual
risk (RPN')
for
each failure
mode
if
the action plan
was
undertaken. The
difference
between
RPN
and RPN'
is the level of isk
reduction to be
achieved by each action
plan.
After
the
workshop,
managers calculated
the cost
of
corrective
plans and arrived at the most
cost-effective
allocation of
resources.
REINVENTING THE
AUDIT
PROCESS
Before usingFMEA on
an audit project,
the
auditors practiced
the technique on
them-
selves
both
as a learning
experience
and
to
improve their
audit
process. They
used
a
more
typical
FMEA analysis and
started
by
breaking
their
audit process
down
into 57
subprocesses.
Askingwhat could go
wrong
in
each subprocess, they identified iI3 fail-
ure
modes. From that point,
the analysis
resembled
the
telecommunications network
management audit.
The
auditors found
that
more
than
half
the
risk
of
audit
failure comes during the
planning phase,
as
shown
in the Audit
Process -Total
RPN
pie chart on this page.
They calculated
the total
RPN of
all
II3 fail-
ure modes
to be 49,800. Of
this
total
40
percent of he
risk
resided
in
20 percent
of he subprocesses.
Prioritizing
and carry-
ing ou t their action plans,
they
reduced
the
RPN
of
the revised
audit
process
to I8,I20.
A VALUE ADDING TOOL
Although
not appropriate for
most
audit
projects
because
of
its complexity
and
the
time
required of management, the
technique
is
worth
considering when an
opportunity
arises. An
FMEA
exercise
can
expand
the set
of
audit techniques
available to
internal
auditors
and
pro-
vide
a forward-looking
analysis of
processes and systems.
Internal auditors
should recognize that
the
FMEA assessment
is subjective. The
RPN expresses a
qualitative
statement
about
each of
the three
risk assessment
factors. As
long
as this is kept
in mind,
FMEA
can be a
valuable
aid to but
never
a
substitute
for
management's
judgment.
TOMMASO
CAPURSO is head of the
Technical and Systemic
Audit Division
at
the
Belgian State Railway Co. in Brussels.
o comment o this article e-mail
the
author at [email protected].
K
eaders are encouraged to share
emerging
risk
issues and best
practices from
their
own
audit
experiences.
To submit a
Risk
Watch article
for
consideration
or
to
request coverage
of a particular
risk, e-mail
Failure
Detection
S L D
RPN Causes
Preventive,
Person S L D RPN'
Mode Method
detective, in
or
corrective charge
action
A g
S e
m _m - K_
1
Preparation
X Fieldwork
M Communication
L Follow-up
Feedbacl tools
i Adaptation score
54.6%
16.6
22.1
4.0
0.8%
2.0
MANAGEMENT'S OBJECTIVES
A _CA C D j
B C D G I
C,F,G,H
Micro Risks
ia
ib ic
id
ie If
2a 2b C 2d 3a
3b
3c
3d 3e
Project
i X X
X X X X X
Project2 X X
X
=
X
X X - X - X
Project3 1
X
X
X X
X X
In his matrix, A, B, C,etc.,
are
the objectives;
i
2,
3 are the
macro
risks;
and
a,
b, c,etc., are the micro risl
-
7/25/2019 A Third Factor in Risk Assessment
3/3
COPYRIGHT INFORMATION
TITLE: A Third Factor in Risk Assessment
SOURCE: Intern Audit 60 no6 D 2003
WN: 0333502742011
The magazine publisher is the copyright holder of this article and it
is reproduced with permission. Further reproduction of this article in
violation of the copyright is prohibited. To contact the publisher:
http://www.theiia.org/
Copyright 1982-2003 The H.W. Wilson Company. All rights reserved.