Part II: Risk Assessment

In the last post on this topic, we discussed the importance of controlling an environment in responding to and preventing risk.  Another component of the COSO framework for company fraud risk management is taking steps to assess your risk.  All businesses experience risk, but it is important to determine the risk to identify a comfortable risk level appropriate for your business goals and available resources.

Enterprise Risk Management (ERM) is a process used by a business to manage risks and consequently achieve business goals.  This process involves identifying fraud risk, assessing its impact on the company, and determining an appropriate response.  This process is typically conducted or managed by the business’s board members, top managers, or internal audit functions.

1)    Identify Risks:

The process of identifying risks includes creating a master list of risks organized by their financial, operational, strategic, and compliance impact.  At this stage, managers take a broad view of all possible threats to understand the full universe of potential impact.

2)    Develop Assessment Criteria:

To cultivate and hone the world of risks that managers have identified, the business must develop a standard set of criteria that can apply to all business units, functions, and projects. Companies often develop measures to determine each risk’s likelihood, financial impact, vulnerability, and speed of onset.  The plan can visually present itself in something as simple as 5-point scales in various categories.

3)    Assess Risk: 

A business can assess each risk using qualitative and quantitative analysis.  Qualitative analysis is typically easier to implement and doesn’t require financial benchmarks.  This analysis includes techniques such as surveying, benchmarking, and scenario analysis.  Qualitative of study often provide insight to issues beyond economic measurement, including assessing vulnerability and the impact of a fraud event on the company’s reputation.

Qualitative analysis typically follows the qualitative study and is performed on the most important risks.  This method requires assigning a numerical value to assess the impact and likelihood. This type of analysis can be more time-consuming and costlier but allows for cash flow and cost-benefit analysis.  This method often includes benchmarking and predictive modeling.

4)    Prioritize Risks: 

Once risks are identified and assessed, management’s next job is to prioritize those risks for an appropriate response. Threats are often organized under a hierarchy by business units, functions, projects, or risk maps.

With these steps and analyses in place, companies are now ready to begin planning how to respond to risk appropriately. For more information on how to begin assessing your risks, contact Abacus CPAs, LLC at 417-823-7171 or Better Guidance. Smarter Decisions.

Matt Clark, CPA, CIA