MU1 Online Article 3.2-1 Assessing_Risk

7/27/2019 MU1 Online Article 3.2-1 Assessing_Risk

1/17

IPPF Prai Gi

AssessInG theAdequAcy oF

RIsk MAnAGeMent

usInG Iso 31000

deceMbeR 2010


2/17

www.theiia.org/guidance / B

IPPF Prai Gi

Aig Aa f

Ri Maagm uig Iso 31000

Table o Contents

exiv smmar ..................................................................................... 1

Iri ................ ................. ................. ................ ................. ............. 1

Ri Maagm i orgaizai ....................................................... 2

Iral Aiig a Ri Maagm ....................................................5

Iral Ai Rviw f Ri Maagm ............................................... 6

oaiig Ai evi ............................................................................ 8

Ara f Ri Maagm Pr ............................................ 9

Aig qali f

Ri Maagm dmai ............................................................ 13

Ar .............. ................. ................. ................ ................. ................. ... 14

Rviwr & crir .........................................................................14


3/17

www.theiia.org/guidance /

IPPF Prai Gi

Aig Aa f


exiv smmarMany organizations are moving to adopt consistent and

holistic approaches to risk management and recognize that

risk management is a management process that should be

ully integrated with the management o the organization.

It applies at all levels o the organization enterprise level,

unction level, and business-unit level.

The risk management ramework must be designed to suit

the organization: its internal and external environment. For

risk management to be eective, the ramework in any or-ganization, regardless o size or purpose, should contain

certain essential elements. This guide details three ap-

proaches to assurance o the risk management process: a

Process Elements approach; an approach based on Princi-

ples o Risk Management; and a Maturity Model approach.

The assurance process that is used should be tailored to the

organizations needs.

Internal auditors should have a means o measuring the

eectiveness o risk management in an organization. This

can be achieved by the examination o criteria that reectaspects o the risk management process. The criteria used

must be relevant, reliable, understandable, and complete.

The aggregate o the observations should allow the audi-

tor to orm a conclusion on the organizations level o risk

management maturity.

The quality o an organizations risk management process

should improve with time. Implementing eective risk

management true ERM oten takes several years. One

o the key criteria that internal auditors should consider is

whether there is a suitable ramework in place to advancea corporate and systematic approach to risk management.

This practice guide uses ISO 31000 as a basis or the risk

management ramework. Other rameworks may be used to

perorm the risk assessment. This guidance does not imply implicit or explicit endorsement o this or any other ramework.

IriOver the last ew years, the importance o managing risk

as part o strong corporate governance has been increas

ingly acknowledged. Organizations are under pressure to

identiy the signifcant business risks they ace social

ethical, and environmental as well as strategic, fnancial

and operational and to explain how they manage them

The use o enterprise-wide risk management rameworkshas expanded as organizations recognize the advantages o

coordinated approaches to risk management.

Risk management is defned in the Glossary o the Inter-

national Standards or the Proessional Practice o Inter-

nal Auditing (Standards) as a process to identiy, assess

manage, and control potential events or situations to pro

vide reasonable assurance regarding the achievement o

the organizations objectives.1 A comprehensive risk man-

agement ramework provides an end-to-end link between

objectives, strategy, execution o strategy, risks, controlsand assurance across all levels in the organization.

Enterprise risk management (ERM) or more properly

enterprise-wide risk management is a term in common

use. The Committee o Sponsoring Organizations o the

Treadway Commission (COSO) defnes it as a process

eected by an entitys board o directors, management

and other personnel, applied in strategy setting and across

the enterprise, designed to identiy potential events that

may aect the entity, and manage risk to be within its risk

appetite, to provide reasonable assurance regarding theachievement o entity objectives.

ISO 31000 (Section 4.1) states that the success o risk

management will depend on the eectiveness o the

1 This is consistent with the International Organization or Standardizations (ISOs) defnition o risk management, which is coordinated activities to direct and control an organizationwith regard to risk. (ISO Guide 73:2009 Defnition 2.1)


4/17

www.theiia.org/guidance / 2

IPPF Prai Gi

Aig Aa f


management ramework providing the oundations andarrangements that will embed it throughout the organiza-

tion at all levels.2 A risk management ramework reers

to the components and organization o risk management

within an entity.

Standard 2120 states the internal audit activity must

evaluate the eectiveness and contribute to the improve-

ment o risk management processes. It continues with

the ollowing interpretation.

Interpretation: Determining whether risk management processes are eective is a judgment resulting rom the internal

auditors assessment that:

Organizational objectives support and align with the

organizations mission;

Signifcant risks are identifed and assessed;

Appropriate risk responses are selected that align risks

with the organizations risk appetite; and

Relevant risk inormation is captured and commu

nicated in a timely manner across the organization,

enabling sta, management, and the board to carry outtheir responsibilities.

The internal audit activity may gather the inormation to

support this assessment during multiple engagements. The

results o these engagements, when viewed together, provide

an understanding o the organizations risk management pro

cesses and their eectiveness.

Risk management processes are monitored through ongoing

management activities, separate evaluations, or both.

The starting point or improving an organizations approachto risk management should be a gap analysis that takes

stock and evaluates what processes and systems are pres-

ent now. I any o the essential parts are missing, it is high-

ly unlikely that risk management will become eective.

Internal auditors have an important role to play in assessing

and improving risk management in their organizations, andassessing the organizations risk management activities is a

critical component in that eort.

This practice guide uses the structure and some o the ter

minology o ISO 31000. While ISO 31000 is not designed

as a basis or certifcation, its concepts and structures orm

a basis or assessing any risk management process. The ISO

31000 ramework is not the only risk management rame

work in common use, and this guidance does not imply any

endorsement o this particular ramework.

Ri Maagm i orgaizaiGovernanceThe ISO 31000 Risk Management Standard provides

guidance or the ramework o risk management appli

cable or organizations o any size. ISO 31000 defnes

a risk management ramework as a set o components

that provide the oundations and organizational arrange-

ments or designing, implementing, monitoring, reviewingand continually improving risk management throughout

the organization.3 The risk management ramework, re

gardless o the level o ormality, is inherently embedded

in an organizations overall strategic and operational poli

cies and practices. Organizational arrangements include

plans, relationships, accountabilities, resources, process

es, and activities. The diagram on page 3 (Figure 1) shows

a conceptual model that can be used or analysis o these

arrangements.

The internal auditor should assess whether the rame-work takes into consideration and defnes risk manage-

ment responsibilities and the risk management strategy

and whether the elements o the ramework allow or the

building o a risk-smart workorce and environment while

still allowing or responsible risk-taking and innovation.

2 ISO. This material is reproduced rom either ISO 31000:2009 or ISO Guide 73:2009 with permission o the American National Standards Institute (ANSI) on behal o theInternational Organization or Standardization (ISO). No part o this ISO material may be copied or reproduced in any orm, electronic retrieval system or otherwise made available on theInternet, a public network, by satellite or otherwise without the prior written consent o ANSI. Copies o this standard may be purchased rom ANSI, 25 West 43rd Street, New York, NY10036, (212) 642-4900, http://webstore.ansi.org

3 Ibid.


5/17


IPPF Prai Gi

Aig Aa f


Responsibilities or Risk Management

The International Organization or Standardization (ISO)defnes risk attitude as an organizations approach to as-

sess and eventually pursue, retain, take or turn away rom

risk.4 Management is responsible or setting the organi-

zational attitude regarding risk and the board is respon-

sible or determining whether the risk attitude is aligned

with the best interests o shareholders.

Boards provide governance oversight o ERM and should

understand key elements o ERM, ask management about

risks, and concur on certain management decisions.

Stakeholders should be given sufcient inormation to un-derstand the risk attitude o management and the board,

in order to invest in accordance with their tolerances or

potential variation in perormance. Organizations com-

municate levels o risk through quarterly and annual re-

ports, press releases, investor calls, etc.

The board has overall responsibility or ensuring that risks

are managed and that there is an adequate risk manage-

ment system in place. In practice, the board will delegate

the operation o the risk management ramework to the

management team. There may be a separate unction

with specialized skills and knowledge that coordinates

and project-manages these activities, but everyone in the

organization plays a role in ensuring successul enterprise

wide risk management, and the primary responsibility or

identiying and managing risks lies with management.

Monitoring and Assurance

The application o ERM changes over time. The riskattitude can change due to internal or external actors

once-eective risk responses may become irrelevant, and

control activities may become less eective or no lon-

ger be perormed. Changes can be brought about by the

arrival o new personnel, changes in entity structure, or

Mandateand

commitment

Design offramework formanaging risk

Monitoring andreview of theframework

Continualimprovement

of theframework

Implementing

riskmanagement

Figure 1 Framework or Managing Risk (ISO 31000)

4 ISO. This material is reproduced rom either ISO 31000:2009 or ISO Guide 73:2009 with permission o the American National Standards Institute (ANSI) on behal o the Inter-national Organization or Standardization (ISO). No part o this ISO material may be copied or reproduced in any orm, electronic retrieval system or otherwise made available on theInternet, a public network, by satellite or otherwise without the prior written consent o ANSI. Copies o this standard may be purchased rom ANSI, 25 West 43rd Street, New York, NY10036, (212) 642-4900, http://webstore.ansi.org


6/17


IPPF Prai Gi

Aig Aa f


introduction o new processes. Furthermore, entity objec-tives, as well the nature o potential events or conditions

that may aect the achievement o those objectives, will

change. Accordingly, management needs to determine

whether the ERM components continue to be relevant

and able to address new risks.

A critical element o a sound risk management system is

monitoring to ensure it is perorming as intended. Moni-

toring can be done in two ways: through ongoing activi-

ties or separate evaluations. This combination o ongo-

ing monitoring and separate evaluations will ensure thatERM maintains its eectiveness over time.

ERM processes incorporate periodic evaluation o risks

and risk ratings. The greater the degree and eectiveness

o ongoing monitoring, the less the need there may be or

separate evaluations. The requency o separate evalua-

tions necessary or management to have reasonable as-

surance about the eectiveness o ERM is a matter o

managements judgment. In making that determination,

consideration is given to the nature and degree o chang-

es, the competence and experience o the people imple-menting risk responses and related controls, the nature

and signifcance to the business o the risks that are being

managed and the results o the ongoing monitoring.

Ongoing monitoring is built into the normal, recurring op-

erating activities o an entity. It can be more eective than

separate evaluations, because it is perormed on a real-

time basis, reacting dynamically to changing conditions,

and is ingrained in the entity. Problems will oten be iden-

tifed most quickly by ongoing monitoring processes since

separate evaluations take place ater the act. Some enti-ties with sound ongoing monitoring activities will none-

theless conduct a separate evaluation o ERM, or portions

thereo. The perceived level o objectivity is greater or

separate evaluations than or sel-monitoring.

An entity that perceives a need or requent separate

evaluations should ocus on ways to enhance its ongoing

monitoring activities and, thereby, to emphasize buildingin rather than adding on monitoring activities.

The need or assurance arises rom the governance pro-

cesses o an organization. Its origin is in the stewardship

relationship between the board o an organization and

its stakeholders. This stewardship relationship positions

boards to establish processes to both delegate and limit

power to pursue the organizations strategy and direction

in a way that enhances the prospects or the organizations

long-term success. Assurance processes allow the board

to monitor the exercise o that power.

The internal audit activity will normally provide assur-

ance over the entire risk management process, including

risk management activities (both their design and operat

ing eectiveness), management o those risks classifed

as key (including the eectiveness o the controls and

other responses to them), verifcation o the rigor and reli

ability o risk assessments, and reporting o the risk and

control status.

With responsibility or monitoring and assurance activitiestraditionally being shared among various parties, includ

ing line management, internal auditing, risk management

specialists, and the compliance unction, it is important

that assurance activities be coordinated to ensure re

sources are used in the most efcient and eective way. It

is common or organizations to have a number o separate

groups perorming dierent risk management advisory

compliance, and assurance unctions independently o

one another. Without eective coordination and report

ing, work can be duplicated or key risks may be missed or

misjudged.

The chie audit executive (CAE) is directed by Standard

2050 to coordinate activity with other assurance provid

ers. The use o an assurance map can help achieve this

oering an eective tool to manage and communicate this

coordination. Practice Advisory 2050-2 provides more in

ormation regarding Assurance Maps.


7/17


IPPF Prai Gi

Aig Aa f


Iral Aiig a RiMaagmStandard 2100 states that the internal audit activity

must evaluate and contribute to the improvement o gov-

ernance, risk management, and control processes using a

systematic and disciplined approach. The internal audit

activity oten has a role providing independent and objec-

tive assurance to the organizations board regarding the

eectiveness o an organizations ERM activities. This

helps ensure key business risks are being managed appro-priately and the organizations system o internal controls

is operating eectively and efciently.

Risk management is a management process that pro-

motes the cost-eective achievement o organizational

objectives; assurance provides reliable inormation about

the achievements o risk management activity. Assurance

and risk management are complementary processes.

In support o the risk management process, internal au-

diting and other independent assurance providers wouldassess whether:

The risk management process has been applied

appropriately and all elements o the process are

suitable and sufcient.

The risk management process is in keeping with the

strategic needs and intent o the organization.

All signifcant risks have been identifed and are be-

ing treated.

Controls are being correctly designed in keeping

with the objectives o the risk management process.

Critical controls are adequate and eective.

Review by line management and other nonaudit

assurance activities are eective at maintaining and

improving controls.

Risk treatment plans are being executed.

There is appropriate and as-reported progress in the

risk management plan.

In support o the assurance process, the risk managementprocess will:

Establish an organization-specifc, documented risk

management ramework.

Provide a structured analysis o the risks o the

organization recording:

m The organizational objective(s) and their

associated risks.

m Potential exposures and assessments o current

risk.

m The organizational position responsible or

managing each risk.

m The key control systems established to manage

each risk.

It is not uncommon or the internal audit activity o an

organization to work in close cooperation with the risk

management unction. Some organizations do not have a

ormal risk management unction and, in this case, inter-

nal auditing oten provides more extensive risk manage-

ment consulting services to the organization. Internal au-

diting may provide risk management consulting, provided

certain conditions apply:

It should be clear that management remains re-

sponsible or risk management. Whenever internal

auditing consults with the management team to set

up or improve risk management processes, its plan

o work should include a clear strategy and timeline

or migrating the responsibility or these activities to

members o management.

Internal auditing cannot give objective assurance

on any part o the risk management ramework orwhich it is responsible. Such assurance should be

provided by other suitably qualifed parties.

The nature o such services provided to the organi-

zation should be documented in the internal audit

charter and be consistent with other internal audit

responsibilities.


8/17


IPPF Prai Gi

Aig Aa f


Any consulting advice or challenge to (or supporto) managements decision-making does not involve

internal auditing making risk management decisions

themselves.

The IIA Position Paper The Role o Internal Auditing in

Enterprise-wide Risk Management includes the ollow-

ing diagram that illustrates a range o ERM activities and

indicates which roles an eective proessional internal au-

dit unction should and should not undertake.

Iral Ai Rviw f RiMaagmFor higher risk areas where management has acknowl-

edged the need to improve controls, there may be an op-

portunity or internal auditing to add value to the organi-

zation through consulting activities. The middle third o

audit activities in Figure 2 above represent advisory and

consulting activities, delivered at the entity or business

unit/departmental level, in a manner that should maintain

internal auditings independence and objectivity.

Although such advisory and consulting activities can be avaluable part o an audit plan, the scope o this Practice

Guide ocuses on the assurance activities described on

the let side o the an. Such activities can be categorized

in three primary types:

Assurance on the risk management process itsel.

Assurance on signifcant risks and management as-

sertions.

Follow-up o risk treatment plan status.

Assurance on the Risk Management ProcessAssurance on the risk management process itsel can beperormed to provide reasonable assurance to senior man-

agement and the board that an organizations risk manage

ment program is eectively designed, documented, and

operating to achieve its objectives. Potential questions

that such assurance should be designed to answer could

include:

Does the risk management program have adequate

commitment rom organization management, includ-

ing adequate stature and resources in relation to

ssecorptnemeganamksirehtn

oecnarussagniviG d

etaulaveyltc

errocerask

sirtahtecn

arussagniv

iGses

secorptne

megana

mksirg

nitaulav

E

sksir

yekf

ognit

roper

ehtgni

taula

vE

sksir

yekf

otne

mega

nam

eht

gniw

eive

R

sksi

rfo

noit

aula

vedn

ano

itac

ifit

nedi

gnit

atili

caF

sksi

rot

gni

dno

pser

nit

neme

gana

mgni

chao

C

sei

tivi

tca

MR

Egni

tani

dro

oC

sk

sir

no

gni

tro

per

deta

dil

os

no

Ckr

ow

em

arf

MR

Ee

htg

nip

ole

ve

dd

na

gni

niat

nia

M

MR

Efo

tne

mhsil

bat

se

gni

noi

pma

hC

lavorppadraob

rofygetarts

MRE

gnipoleveD

tnemeganamksirrofytilibatnuoccA

flahebstnemeganamnosesnopserksirgnitnemelpmI

sesnopserksirnosnoisicedgnikaT

sksirnoecnarussatnemeganaM

sessecorptnemegana

mksir

gnisopmI

etiteppaksir

ehtgnitte

S

Core internal audit rolesin regard to ERM

Roles internal auditshould not undertake

Legitimate internal auditroles with safeguards

Figure 2 Internal Audit Role in ERM


9/17


IPPF Prai Gi

Aig Aa f


risks, and is it an appropriate part o organizationalprocesses and decision-making?

Are the risk management ramework design and risk

evaluation criteria appropriate or the internal and

external context (environment) o the organization?

Is there adequate defnition and communication o

requirements, risk evaluation criteria, and account-

ability or the development, implementation, and

maintenance o the risk management ramework and

specifc risk area evaluations?

Is the risk attitude established at the proper level inthe governance structure o the organization?

Are internal communication and reporting mecha-

nisms adequate to ensure that key outcomes o the

risk management activities are communicated appro-

priately within the organization (balancing transpar-

ency with sensitivity)?

Do reports to stakeholders adequately reect the

organizations attitude to and treatment o risks?

Are external communication and reporting mecha-

nisms adequate to comply with relevant legal,regulatory, corporate governance, and disclosure

requirements?

Do adequate perormance measures and reporting

exist to monitor the design and eectiveness o the

risk management ramework?

Are risk evaluation criteria, appetites, responses, and

escalation/reporting requirements consistently ap-

plied in practice across the organization? Are people

with the appropriate knowledge responsible or risk

identifcation? Is the current state o risk identifca-

tion adequate?

Are the risk ramework and related processes and

controls modifed as business conditions and organi-

zational needs change?

Are people with the appropriate knowledge respon-

sible or risk analysis, evaluation, and treatment/

response? Are these activities adequately reviewed

and approved?

Are risk treatment plans and status monitored andadequately communicated with appropriate levels o

management and the board?

Assurance on Signifcant Risks andManagement Assertions

During all other assurance work where the scope relates

to higher potential exposures identifed in an organiza-

tions risk management process, audit procedures and

communications should be designed to evaluate manage-

ments assertions on the eectiveness o controls in bring-

ing risk within an organizations risk tolerance threshold.

Reports to management (and the board) can describe the

potential exposure and managements assessment o cur-

rent risks (with the implied value o the controls in place)

together with the audit evaluation o the risk ratings. Any

dierences should be ed into managements risk man-

agement process or consideration.

The cumulative eect over time o such assurance activi-

ties over specifc risk areas in a risk-based audit plan will

provide assurance not only over those specifc risk areas,but serve as assurance o the eectiveness o the overall

risk management process.

Follow-up o Risk Treatment Plan Status

For risk treatment or control remediation plans relating to

higher potential exposures, especially where plans are rel-

atively longer in duration, it may be appropriate to moni-

tor perormance against the plan. At a minimum, such

monitoring should be designed to provide management

with an assessment o progress against milestones andvalidate risk treatment plan status reports to the board.

In addition, such monitoring can assess the plan struc-

ture, resources, accountabilities, project management,

etc. and provide recommendations and considerations to

enhance the likelihood o plan success.


10/17


IPPF Prai Gi

Aig Aa f


oaiig Ai eviIn audits o the risk management process o an organiza-

tion, Practice Advisory 2120-1, Assessing the Adequacy o

Risk Management Processes, paragraph 8, states:

Internal auditors need to obtain sufcient and appropri-

ate evidence to determine that the key objectives o the

risk management processes are being met to orm an

opinion on the adequacy o risk management processes.

In gathering such evidence, the internal auditor might

consider the ollowing audit procedures:

Research and review current developments, trends,

industry inormation related to the business conduct-

ed by the organization, and other appropriate sources

o inormation to determine risks and exposures

that may aect the organization and related control

procedures used to address, monitor, and reassess

those risks.

Review corporate policies and board minutes to

determine the organizations business strategies, risk

management philosophy and methodology, appetite

or risk, and acceptance o risks.

Review previous risk evaluation reports issued by

management, internal auditors, external auditors,

and any other sources.

Conduct interviews with line and senior manage-

ment to determine business unit objectives, related

risks, and managements risk mitigation and control

monitoring activities.

Assimilate inormation to independently evaluate the

eectiveness o risk mitigation, monitoring, and com-

munication o risks and associated control activities.

Assess the appropriateness o reporting lines or risk

monitoring activities.

Review the adequacy and timeliness o reporting on

risk management results.

Review the completeness o managements risk

analysis and actions taken to remedy issues raised byrisk management processes.

Determine the eectiveness o managements sel-as-

sessment processes through observations, direct tests

o control and monitoring procedures, testing the

accuracy o inormation used in monitoring activities

and other appropriate techniques.

Review risk-related issues that may indicate weak-

ness in risk management practices and, as appro-

priate, discuss with senior management and the

board. I the auditor believes that management has

accepted a level o risk that is inconsistent with the

organizations risk management strategy and policies,

or that is deemed unacceptable to the organization,

reer to Standard 2600 and related guidance or ad-

ditional direction.

Dierent techniques can be used to obtain audit evi-

dence, including:

Observations or example, by being present when

risk management is carried out at the dierent levels

o the organization rom the board and all the waydown to individual departments, programs, projects,

and the employees.

Interviews.

Document reviews or example, agendas,

supporting documents and minutes rom board,

executive, or other senior management commit-

tees, strategic plans, and supporting documents or

resourcing decisions.

Results rom previous audits.

Reliance on the work o others.

Analytical techniques or example, root cause

analysis o detected aults.

Process mapping.

Statistical analysis or example, analysis o the

types o incident or near misses.

Risk model review and assessment.


11/17


IPPF Prai Gi

Aig Aa f


Surveys.Analysis o control sel-assessment.

Oten, a combination o dierent audit techniques will

be used to gather sufcient inormation and evidence

to reach a conclusion. The auditor selects the most

appropriate procedure or the audit objective o the

assignment. The auditor also assesses whether sufcient

resources and skills are available to perorm all the work

required to provide sufcient support or an opinion. The

auditor considers whether it might be prudent to decline

to express the opinion or to qualiy the opinion by exclud-ing certain areas or risks rom the scope o the opinion i

sufcient resources or skills are not available.

The requirement or evidence will vary depending on

the kind o opinion the auditor wishes to render. Posi-

tive assurance provides the highest level o assurance

and normally also requires the most evidence to sup-

port the opinion. Such an opinion implies not only, or

example, whether controls/risk mitigation processes are

adequate and eective, but also that sufcient evidence

was gathered to be reasonably certain that evidence to thecontrary, i it exists, would have been identifed.

Negative assurance does not provide as much assur-

ance and thereore normally does not require as much

audit evidence. When rendering negative assurance, the

auditor, or example, states that based on the work done,

nothing came to the auditors attention. By rendering

such an opinion, the auditor takes no responsibility or

the sufciency o the audit scope and procedures to fnd

all signifcant concerns or issues. Such an opinion is gen-

erally considered less valuable than positive assurance.

More extensive guidance on opinions can be ound in

the Practice Guide Formulating and Expressing Internal

Audit Opinions.

Audit conclusions should be actual, objective, andbacked by sufcient audit evidence. Sufciency implies

the audit evidence is actual, adequate, and convincing so

that a prudent, inormed person would reach the same

conclusions as the auditor. Audit evidence must be

appropriately documented and organized.

The audit activity must not unknowingly provide any level

o alse assurance (reerence PA 2120-2: Managing the

Risk o the Internal Audit Activity, paragraph 8). False

assurance is a level o confdence or assurance based on

perceptions or assumptions rather than act. In manycases, the mere act that the internal audit activity

is involved in a matter may create some level o alse

assurance. The scope o internal audit activity involve-

ment may be misunderstood and, consequently, alse

assurance may result.

Ara f RiMaagm Pr

A governing body should be able to determine the extentto which the risk management process in its organization

meets the needs o the organization and has adopted gen-

erally accepted good practice. Risk management is a criti-

cal component o the system o internal control, so def-

cient risk management processes are an indicator that the

organizations system o internal control may be defcient

It is important that an organization obtains assurance

on its risk management process. This assurance must ac-

commodate the possibility that the internal auditor might

not be unctionally independent o the risk managementunction. In this case, assurance may be sought rom an

external party.

Three orms o assurance process that may be used in

assessing a risk management process are outlined below:5

5 These approaches are quoted rom HB158:2010 Delivering assurance based on ISO 31000:2009 Risk management Principles and guidelines, A joint publication o StandardsAustralia, IIA-Australia, and the I IA Research Foundation. HB158 provides a more extensive discussion o these and other issues.


12/17


IPPF Prai Gi

Aig Aa f


Process elements approachKey principles approach

Maturity model approach

While each orm is sel-contained, they each oer a dier-

ent perspective on the eectiveness o a risk management

process in an organization. Oten, the adoption o more

than one approach can yield the most inormative and use-

ul results. The risk management process should be ap-

propriately tailored to the organization, its size, culture ob-

jectives, and risk profle. Thereore, the assurance process

also needs to be tailored to the organizations needs.

The results o any desk-based review must be validated

by examining whether the risk management ramework is

operating eectively in practice. This means that this type

o assurance activity should not be conducted in isolation

and should always accompany or involve normal control-

based assurance that determines whether:

Risks are being eectively identifed and appropri-

ately analyzed.

There is adequate and appropriate risk treatment andcontrol.

There is eective monitoring and review by manage-

ment to detect changes in risks and controls.

Process Element Approach

This approach checks whether each element o the risk

management process is in place. It is essential to validate

managements expressions o intent through sufcient

audit evidence to substantiate that the element is being

satisfed in practice. Management representation alonewould rarely be sufcient. ISO 31000 identifes seven

components o the risk management process:

Element 1 Communication: Sound risk manage-

ment requires structured and ongoing communica-

tion and consultation with those who are aected bythe operations o the organization or activity.

Element 2 Setting the Context: The external en-

vironment (political, social, etc.) and internal envi-

ronment (objectives, strategies, structures, ethics,

discipline, etc.) o the organization or activity must

be understood beore the ull range o risks can be

identifed.

Element 3 Risk Identifcation: Identiying the risks

should be a ormal, structured process that considers

sources o risk, areas o impact, and potential events

and their causes and consequences.

Element 4 Risk Analysis: The organization should

use a ormal technique to consider the consequence

and likelihood o each risk.

Element 5 Risk Evaluation: The organization

should have a mechanism to rank the relative impor-

tance o each risk so that a treatment priority can be

established.

Element 6 Risk Treatment: Sound risk manage-

ment requires rational decisions about risk treat-

ment. Classically, such treatment is to avoid the

activity rom which the risk arises, share the risk,

manage the risk by the application o controls, or ac-

cept the risk and take no urther action.

Element 7 Monitor and Review: Monitoring

includes checking the progress o treatment plans,

monitoring controls and their eectiveness, ensuring

that proscribed activities are avoided, and checking

that the environment has not changed in a way that

aects the risks.

Key Principles Approach

This approach is based on the concept that to be ully

eective, any risk management process must satisy a

minimum set o principles or characteristics. ISO 31000

6 ISO. This material is reproduced rom either ISO 31000:2009 or ISO Guide 73:2009 with permission o the American National Standards Institute (ANSI) on behal o theInternational Organization or Standardization (ISO). No part o this ISO material may be copied or reproduced in any orm, electronic retrieval system or otherwise made available on theInternet, a public network, by satellite or otherwise without the prior written consent o ANSI. Copies o this standard may be purchased rom ANSI, 25 West 43rd Street, New York, NY10036, (212) 642-4900, http://webstore.ansi.org.

7 Ibid.


13/17


IPPF Practice Guide

Assessing the Adequacy of

Risk Management Using ISO 31000

includes a section (Clause 4) on these principles. An au-dit based on these principles would assess to what extent

they are true or the risk management process in an orga-

nization:

Risk management creates and protects value.6

This implies the application o the most rigorous risk

management when the value at stake is highest. It

also suggests that a range o techniques applicable at

various levels o exposure should be available in the

organization.

Risk management is an integral part of organi-

zational processes.7 Risk management should not

be seen as an add-on task.

Risk management is part of decision-making.8

The more important the decision, the more explicit

this association should be.

Risk management explicitly addresses uncer-

tainty.9 Risk assessments would be expected to

document areas o uncertainty and consider how

best to address the uncertainty identifed.

Risk management is systematic, structured,

and timely.10

Risk management is based on the best avail-

able information.11 Obtaining inormation can be

expensive and the process should provide guidance

on what constitutes sufcient inormation.

Risk management is tailored.12 It is not an out-

o-the-box process and must match the operations o

the organization.

Risk management takes human and cultural

factors into account.

13

The processes must be

appropriate to the competence and culture o thosewho must use them.

Risk management is transparent and inclusive.14

There should be appropriate and timely involvement

o stakeholders.

Risk management is dynamic, iterative, and

responsive to change.15 The process should be

regularly reviewed and respond to changes in the

organization and its environment so that it remains

relevant.

Risk management facilitates continual im-provement and enhancement of the organiza-

tion.16 Risk management should mature along with

other organizational processes.

Maturity Model Approach

The maturity model approach builds on the assertion tha

the quality o an organizations risk management process

should improve with time. Immature systems o risk man-

agement yield very little return or the investment that has

been made and oten operate as a compliance overhead or

an imposition, more concerned with the reporting o risksthan with their eective treatment. Eective risk manage

ment processes are developed over time, with additiona

value being provided at each step in the maturation pro-

cess. This approach provides an assessment o where the

organizations risk management process lies on the matu-

rity curve, so that the board and management can assess

whether it meets the current needs o the organization

and is maturing as expected.

A key aspect of the Maturity Model approach is the link

ing of risk management performance and progress in the

8 ISO. This material is reproduced rom either ISO 31000:2009 or ISO Guide 73:2009 with permission o the American National Standards Institute (ANSI) on behal o the Inter-national Organization or Standardization (ISO). No part o this ISO material may be copied or reproduced in any orm, electronic retrieval system or otherwise made available on theInternet, a public network, by satellite or otherwise without the prior written consent o ANSI. Copies o this standard may be purchased rom ANSI, 25 West 43rd Street, New York, NY10036, (212) 642-4900, http://webstore.ansi.org.

9 Ibid.10 Ibid.11 Ibid.12 Ibid.13 Ibid.14 Ibid.15 Ibid.16 Ibid.


14/17


IPPF Prai Gi

Aig Aa f


execution o a risk management plan to a perormancemeasurement and management system. The outputs rom

such a system can be presented to senior management and

the board as evidence o improvement in risk management.

The components or such a system normally consist o:

A protocol o perormance standards, considering

current approaches to risk management and antici-

pating uture strategic needs. Perormance standards

are normally supported by a list o more detailed

perormance requirements that enable measurement

o any improvement in perormance.

A guide to how the standards and sub-requirements

can be satisfed in practice.

A means o measuring actual perormance against

each standard and sub-requirement.

A means o recording and reporting perormance and

improvements in perormance.

The periodic independent verifcation o manage-

ments assessment.

Clause 4 o ISO 31000 contains a list o practical andimportant principles that should be the starting point

or any maturity evaluation. These principles address not

onlydoes the process element or system existbut also is i

eective and relevant or your organisationand does it add

value.In act, the frst principle is that risk management

must add value.

Actual perormance against each perormance standard

is assessed using some system o maturity measurement

that gives credit or intent, but ull scores can only be ob-

tained by the complete implementation and practical application o the standard. A possible system or measuring

maturity (based on the original idea o Capability Matu-

rity Models developed by the Carnegie Mellon University

is shown below.

MeAsuRe none VeRy LIttLe soMe Good coMPLete

Meaning Very little or no

compliance with the

requirement in any

way.

Only limited

compliance with the

requirement.

Management

supports the intent,

but compliance in

practice is poor.

Limited compliance

with element state-

ment. Certainly agree

with the intent, but

limited compliance in

practice.

Management

completely

subscribes to the

intent, but there is

partially complete

compliance in

practice.

Absolute compliance

with the element

statement in intent

and in practice at

all times and in all

places.

Figure 3 Maturity Model source HB158


15/17


IPPF Prai Gi

Aig Aa f


Aig qali f RiMaagm dmaiThe extent o documentation o an entitys ERM will vary

with the entitys size and complexity. Larger organizations

usually have written policy manuals, ormal organization

charts, written job descriptions, operating instructions,

inormation system owcharts, and so orth. Smaller, less

complex organizations typically have considerably less doc-

umentation.

Many aspects o ERM may be inormal and undocument-

ed and yet can be regularly perormed and highly eec-

tive. These activities may be tested in the same ways as

documented activities. The act that elements o ERM are

not documented does not necessarily mean that it is not

eective or cannot be evaluated. An appropriate level o

documentation, however, usually makes monitoring more

efcient. It is helpul in other respects too. It acilitates

employees understanding o how the process works and

their particular roles, and makes it easier to make modifca-

tions when necessary.

In deciding to document the evaluation process itsel, the

internal auditor will usually draw on existing documenta-

tion o the entitys ERM processes. Existing documentation

will typically be supplemented with additional documents

prepared by the auditor, including evidence o the tests and

analyses perormed in the assessment process. The nature

and extent o documentation normally is more substantive

when statements about ERM are made to other parties.

When management intends to make a statement to exter-nal parties regarding ERM eectiveness, it should consider

developing and retaining documentation to support the

statement. The internal auditor should consider whether:

A strategy or managing risk inormation rom all

sources is in place.

Necessary inrastructure or communicating riskinormation is in place.

There are common defnitions.

There are guidelines or the creation, deletion, and

sharing o risk inormation.

There are adequate resources assigned.

Technology is cost efcient and used where

appropriate.

A proactive approach is taken or monitoring.

Risk inormation is part o the planning process.Risk inormation is integrated with perormance

inormation.

These considerations and any decisions made to imple-

ment activities/processes should be documented. Such

documentation may be useul i the statement is subse-

quently challenged.


16/17


IPPF Prai Gi

Aig Aa f


ArAndrew MacLeod, CIA

Patricia A. MacDonald

Benito Ybarra, CIA

Trygve Sorlie, CIA, CCSA

Brian Foster, CIA

Teis Stokka, CIA

Rviwr a crir

Douglas J. Anderson, CIA

Steven E. Jameson, CIA, CCSA, CFSA

James A. Rose, III, CIA


17/17

About the InstituteEstablished in 1941, The Institute o Internal

Auditors (IIA) is an international proessional as-

sociation with global headquarters in Altamonte

Springs, Fla., USA. The IIA is the internal audit

proessions global voice, recognized authority, ac-

knowledged leader, chie advocate, and principal

educator.

About Practice Guides

Practice Guides provide detailed guidance orconducting internal audit activities. They include

detailed processes and procedures, such as tools

and techniques, programs, and step-by-step ap-

proaches, as well as examples o deliverables.

Practice Guides are part o The IIAs Internation-

al Proessional Practices Framework. As part o

the Strongly Recommended category o guidance,

compliance is not mandatory, but it is strongly

recommended, and the guidance is endorsed by

The IIA through ormal review and approval pro-

cesses. For other authoritative guidance materialsprovided by The IIA, please visit our website at

www.theiia.org/guidance.

DisclaimerThe IIA publishes this document or inormation-

al and educational purposes. This guidance mate-

rial is not intended to provide defnitive answers

to specifc individual circumstances and as such

is only intended to be used as a guide. The IIA

recommends that you always seek independent

expert advice relating directly to any specifc situ-

ation. The IIA accepts no responsibility or any-

one placing sole reliance on this guidance.

Copyright

The copyright o this position paper is held by The

IIA. For permission to reproduce, please contact

The IIA at [email protected].

GLobAL heAdquARteRs t: +1-407-937-1111

247 Maitland Ave. F: +1-407-937-1101

Altamonte Springs, FL 32701 USA W: www.theiia.org

MU1 Online Article 3.2-1 Assessing_Risk

Documents

Transcript of MU1 Online Article 3.2-1 Assessing_Risk