risk assessments re-imagined - chapters site county/iia oc...internal audit – it annual risk...
TRANSCRIPT
Risk AssessmentsRe-Imagined2017 IIA Orange County Fall Event“Agility in a changing landscape”
Page 2
Session objective
Present a Risk Assessment approach that reflects the themefor this year’s IIA Los Angeles Conference:
“Agility in a changing landscape”
Page 3
Agenda
► Session objective► Introduction► Compression of traditional Risk Assessment approach vs
EY’s innovative approach► Case Study► Questions
Page 4
EY’s approach for Risk Assessments
Page 5
Traditional Risk Assessments approach
► Performed once or twice a year► Time consuming one-on-one interviews
► Manual aggregation of results► Difficulty in keeping interviews consistent
► Information flows in one direction► Haphazard updates to risk register / universe► Lack of transparency► Results lack buy-in
Page 6
EY’s innovative approach
► Engages all participants► Accelerates speed to outcomes► Removes barriers to effective collaboration► Drives alignment and buy-in► Improved quality of results► Superior experience
Many-to-manyfunctionality
dramaticallyincreases
the number ofideas generated.
Viewreal-time results.
Anonymityfrees ideas,
providing open,honest feedback.
Page 7
EY’s innovative approach
► How? ThinkTank – Online collaboration tool. ThinkTank enabledactivities:► Anonymity promotes honest input, regardless of position or who else is
participating► Simultaneous contributions enables fast, effective risk identification and
clarification, which allows more time for deep discussion and analysis, generatinggreater buy-in
► Instant vote results representation allows for immediate analysis; quickly identifyalignment or strong differences in opinions that will require further discussion
► The ability to gather input, clarify for shared understanding, and prioritize andevaluate risks on Impact, Likelihood, Management Preparedness
► Gather both quantitative as well as qualitative data, vote results with votereasoning
► Process and outcomes transparency; every input and assessment captured inreal time
► Leverage the platform’s virtual collaborative capabilities to engage moreparticipants and reduce travel costs
Page 8
Case study
Page 9
EY’s ThinkApp for Risk Assessments
STEP 1Generate /Validate /
Clarify Risks
OPTION 3Starting with a“Blank Slate”
OPTION 1Starting with apre-defined list(review/clarifypurposes only)
OPTION 2Starting with apredefined list(review/clarify)
and ability to addnew risks
STEP 2Prioritize
Risks
TOP XASSESSMENT
Pick your Top X(Risks, projects,
etc.)
Options: Capturevote reasoning
with commentingfeature
STEP 3Assess Top
Risks
STEP 4Top Risks
AssessmentRationale
OPTION 1Clarify vote
rationale for highand/or low
assessed risks
OPTION 2Clarify drivers,
root causes,controls, etc. for
high assessedrisks
STEP 5End of
SessionActivities
OPTION 1Additional risks or
areas
OPTION 2Any additional
questions
OPTION 3Feedback on
session,technology,approach, or
anything missed.
IMPACT,LIKELIHOOD,
MANAGEMENTPREPAREDNESS,AND VELOCITY
Multi-criteriaassessment of the
Top X risks)
Options: Velocityis optional (deletethe column if youdo not intend to
assess it).
Page 10
Case study approach
► In-depth review of EY’s 5-step process for RiskAssessments
► For each step we will cover:► ThinkTank activities / options► Objectives for each of the activities► Summary of benefits of innovative approach vs traditional
approach
Page 11
STEP 1Generate /Validate /
Clarify Risks
OPTION 3Starting with a“Blank Slate”
OPTION 1Starting with apre-defined list(review/clarifypurposes only)
OPTION 2Starting with apredefined list(review/clarify)
and ability to addnew risks
Generate / Validate / Clarify Risks
Select
Provide input here
Page 12
STEP 1Generate /Validate /
Clarify Risks
OPTION 3Starting with a“Blank Slate”
OPTION 1Starting with apre-defined list(review/clarifypurposes only)
OPTION 2Starting with apredefined list(review/clarify)
and ability to addnew risks
Generate / Validate / Clarify Risks
Select
Add new risks here
Page 13
STEP 1Generate /Validate /
Clarify Risks
OPTION 3Starting with a“Blank Slate”
OPTION 1Starting with apre-defined list(review/clarifypurposes only)
OPTION 2Starting with apredefined list(review/clarify)
and ability to addnew risks
Generate / Validate / Clarify Risks
Add new risks here
Page 14
Generate / Validate / Clarify Risks
► Risk register may beoutdated or missing keyrisks
► Participants may notunderstand the risks
► Lack of ownership byparticipants
► Risk register is up to datewith input from participants
► Shared understanding ofrisks by all participants
► Buy-in from participantssince they were part of theprocess
Traditional approach ThinkApp approach
Page 15
Prioritize risks
STEP 2Prioritize
Risks
TOP XASSESSMENT
Pick your Top X(Risks, projects,
etc.)
Options: Capturevote reasoning
with commentingfeature
Ability to provide selection rationale
Prioritize top 3 risks (or top X risks)
Page 16
Prioritize risks
STEP 2Prioritize
Risks
TOP XASSESSMENT
Pick your Top X(Risks, projects,
etc.)
Options: Capturevote reasoning
with commentingfeature
Page 17
Prioritize risks
► Manual aggregation of riskprioritization
► Limited input due to limitednumber of participants
► Lack of visibility ofaggregate risk view byparticipants
► No-buy in from participants
► Automated prioritization ofrisks by participants
► Organized mechanism tocapture rationale for riskranking
► Immediate visibility toHIGH and LOW risk
► Buy-in from participantssince they were part of theprocess
Traditional approach ThinkApp approach
Page 18
Assess top risks
STEP 3Assess Top
Risks
IMPACT,LIKELIHOOD,
MANAGEMENTPREPAREDNESS,AND VELOCITY
Multi-criteriaassessment of the
Top X risks)
Options: Velocityis optional (deletethe column if youdo not intend to
assess it).
Ability to provideselection rationale
Page 19
Assess top risks
STEP 3Assess Top
Risks
IMPACT,LIKELIHOOD,
MANAGEMENTPREPAREDNESS,AND VELOCITY
Multi-criteriaassessment of the
Top X risks)
Options: Velocityis optional (deletethe column if youdo not intend to
assess it).
Ability to toggle between tabs
Page 20
Assess top risks
► Manual aggregation of riskassessments
► Limited input due to limitednumber of participants
► Lack of visibility ofaggregate risk view byparticipants
► No-buy in from participants
► Automated aggregationand charting of risksassessment results
► Immediate visibility to heatmap - “WOW factor”
► Buy-in from participantssince they were part of theprocess
► Enables intelligentdiscussion
Traditional approach ThinkApp approach
Page 21
Top risk assessment rationale
STEP 4Top Risks
AssessmentRationale
OPTION 1Clarify vote
rationale for highand/or low
assessed risks
OPTION 2Clarify drivers,
root causes,controls, etc. for
high assessedrisks
Select
Provide input here
Page 22
Top risk assessment rationale
STEP 4Top Risks
AssessmentRationale
OPTION 1Clarify vote
rationale for highand/or low
assessed risks
OPTION 2Clarify drivers,
root causes,controls, etc. for
high assessedrisks
Select
Provide input here
Page 23
Top risk assessment rationale
► Typically rationale is notshared with participantsdue to interview nature ofrisk assessment
► One voice may speak“louder” or carry moreweight than others
► Enables intelligentdiscussion
► Anonymous featureensures that participantsfeel comfortable providinghonest input
► Participants, includingleadership, leave sessionwith increased awarenessof the organization’s risks
Traditional approach ThinkApp approach
Page 24
Risk response discussion
Page 25
Risk response discussion
Page 26
Risk response discussion
Page 27
Risk response discussion
Page 28
Risk response discussion
► Typically risk response isshared only with someparticipants due tointerview nature of riskassessment
► May require multiplediscussions to obtainalignment due to lack ofvisibility into process andresults
► Enables immediate sharingof risk response
► All participants are awareof the planned riskresponse
► Significant higher buy-in, ifnot complete buy-in, thantraditional approach
► Increased accountabilityfor trouble areas
Traditional approach ThinkApp approach
Page 29
End of session activities
STEP 5End of
SessionActivities
OPTION 1Additional risks or
areas
OPTION 2Any additional
questions
OPTION 3Feedback on
session,technology,approach, or
anything missed.
Page 30
Participant FeedbackDo you have any comments on the process and technology used for today's meeting?
“This was great - great process, love the tool”
“Excellent, we should usethis format more. Very wellmanaged, great tool, greatmoderation.”
“Great way to get everyone's feedback in a quick manner.”
“The tool worked really well.The anonymous nature of it is nice,gives people the freedom to saythings maybe they wouldn't.”
“Everything aboutthis was spot on”
“The tool was great,should be used more often.”
“This was great! I'd like us (IT) to use this inother forms of collaboration - SWOT Analysis,Strategy development, etc. etc.”
“Anonymous collection of feedback a goodapproach as we have IT leaders that like todominate topics and are not always open toviews of others.”
“I think this is a great initiative! This will guidethe team better on the assessment for possiblesolutions we can implement to benefit the company.Congratulations!”
“Excellent approach to getmeaningful results quickly.”
“This was great , fast and dynamic,sure beats 20+ people all talking at once.”
“Excellent collaborationmethod. Nice to be able tobrainstorm so effortlessly.”
Page 31
Questions?
Page 32
Shouldn’t your Risk Assessmentapproach reflect the current digitalcapabilities?
Yuliya PoutkaradzeEY Risk [email protected]+1-949-307-4686 direct
Mayra TolosaEY Risk [email protected]+1-213-924-5757 mobile+1-213-977-3195 office
Page 33
Additional content
How it works andclient successes
Page 35
Global Manufacturing CompanyInternal Audit – IT Annual Risk Assessment & IA Audit Priorities for Major Projects and Applications
Internal Audit wanted to engage a largerglobal audience to determine the Priority ITprojects and applications to include in theannual audit plan.
Situation
Leveraging Digital► Engage a much larger
global stakeholderpopulation - to increasetransparency andownership of IA priorities.
► Complete the Project,Application Riskassessment in acondensed time period(3 two hour virtualsessions).
► Reduced travel costs byconducting global virtualsessions.
Outcomes► Dramatically increased
shared understanding ofProjects and Risks
► 5 times the number ofstakeholders engagedcompared to theprevious risk assessment
► Thorough evaluation ofImpact, Likelihood, andManagementEffectiveness foridentified IT RisksIncrease transparency and global buy-in to
the IT Projects and Applications to includein the IA annual plan.
Objective
Page 36
Global Agriculture CompanyRisk Assessment
Engage numerous stakeholders frommultiple locations throughout AsiaPac inone week
Situation
Leveraging Digital► Hosted mixed sessions
of both face-to-face andvirtual participantssimultaneously
► Completed 8 sessions in4 days, engaging 150+participants in numerouscountries
► Anonymous contributionsallowed for open andhonest feedback,breaking language andcultural barriers
Outcomes► Generated, categorized,
clarified, and prioritizedhundreds of risks in avery short amount of time
► Provided key insight onplaces to focus based onprioritization andassessment results ofeach session
► Now looking toimplement a digitalapproach for other keyprocesses throughout thecompany
Gather and assess risks facing theorganization from numerous divisions anddepartments throughout region
Objective
Page 37
Global Automotive CompanyPerformance Assessment for Finance Transformation
The Transformation was drastically over-budget and under-deployed, creatingresistance and negative perceptions
Situation
Leveraging Digital
► Engage a much largerstakeholder population -well beyond theTransformation team
► Complete theassessment in acondensed time period
► Leverage anonymity toget a more complete andhonest assessmentwithout rank or politicsinhibiting feedback
Outcomes► Delayed the next phase
as a result of the EYassessment
► 3 times the number ofstakeholders engagedcompared to theprevious assessment
► More complete andhonest feedback
► All data and assessmentresults consolidated andpresented within 24hours of the last session
Assess readiness of deploying next phaseat next manufacturing location
Objective
Page 38
Global Technology CompanyVendor requirements gathering and prioritization
Requirements were generated by theclient, however they needed verificationand prioritization from their vendors
Situation
Leveraging Digital► Rapidly verified and
clarified all existingrequirements asparticipants couldcontribute all at once
► Added numerousrequirements for each ofthe 5 sections of the tool
► Quickly assessed allexisting and newrequirements on a 2criteria scale –importance vs. speed
Outcomes► Verified and clarified
existing requirements,produced newrequirements, andgenerated detailed heatmaps for all 5 sections –all within 4 hours
► Allowed each vendor togain insight onrequirements of others
► Client has now expandedthese sessionsthroughout N America
Verify all requirements produced by theclient, identify any that were missed,prioritize and assess all requirements
Objective
Risk Universe®
By Sector
Page 40
EY Risk Universe by SectorContents
► Automotive► Banking and Capital Markets► Consumer Products and Retail► Government and Public Sector► Health► Life Sciences► Media and Entertainment
► Advertising andMeasurement
► Broadcast and Cable► Content and Information
Services► Film, Television, and Gaming► Multichannel Video
Programming Distributor
► Mining► Power and Utilities► Real Estate, Hospitality, and
Construction► Technology► Wealth and Asset Management
Risk Universe®
Automotive
Page 42
Legal/recall
RegulatoryCode ofconduct
Governance
Planning andresourceallocation
Mergers,acquisitions and
divestitures
Accounting andreporting
Liquidityand credit
Customerexpectations /
sales andmarketing
Productsafety
People andhuman
resources
InformationTechnology/cybersecurity
Supply chain
Physicalassets
Compliance
Strategic
Communicationand investor
relations
MarketDynamics/Gov’t policy
Market
Operations
Capitalstructure
Financial
Majorinitiatives
Risk Universe
Strategic Compliance Operations Financial
Taxoperations
EY Risk UniverseAutomotive
Page 43
EY Risk UniverseAutomotiveStrategic Operations Compliance Financial
Governance• Board performance• Tone at the top• Control environment• Corporate social responsibilityPlanning and resource allocation• Organizational structure• Strategic planning• Budgeting• Forecasting• Joint ventures / alliances and
partnerships• Special purpose entities• Technology enablement• Tax planningMergers, acquisitions and divestures• Valuation and pricing• Due diligence• Execution and integrationMarket dynamics / government policy• Competition• Pricing pressures• Lifestyle trends• Customer and platform mix• Macroeconomic factors• Sociopolitical factorsCommunication and investor relations• Media relations• Crisis communication• Employee communicationMajor initiatives• Vision and direction• Planning and execution• Measurement and monitoring• Technology implementation• Business acceptance
Customer expectations / sales andmarketing• Marketing• Advertising• Research and development• Sales and pricing• Customer support/managementSupply chain• Master planning and forecasting• Procurement and inventory• Production• Transportation and logistics• Transfer pricing• DistributionPeople and human resources• Culture• Recruiting and retention• Development and performance• Succession planning• Compensation and benefits• Labor relationsInformation Technology / cybersecurity• IT management• Information protection• IT availability/continuity• IT spend• Decision support• IT architectureHazards• Natural events• Terror and malicious actsPhysical assets• Real estate• Property, plant and facilities• InventoryTax operations• Property taxes• Tax department operations• Tax technology and knowledge
management
Code of conduct• Ethics• FraudLegal• Contract• Liability• Intellectual property• AnticorruptionRegulatory• Trade• Customs• Labor• Securities• Environment• Data protection and privacy• Product quality• Health and safety• Competitive prices and anti trade• Tax compliance and tax authority
examination management• Sales and marketing
Market• Interest rate• Foreign currency• Commodity• DerivativesLiquidity and credit• Cash management• Funding• Hedging• Credit and collections• InsuranceAccounting and reporting• Accounting, reporting and disclosure• Reporting and information integrityCapital structure• Debt• Equity• Pension funds• Stock options
Page 44
EY Risk UniverseAutomotive
For more detailed information and risk details/definitions CLICK HERE
Page 45
Additional examples
1 January 2014 Presentation title
1. Project Validation• Validate a pre-existing list
of projects (or risks)• Generate insights into
each project (ensuringalignment and clarity)
EXAMPLE 1 EXAMPLE 2 EXAMPLE 3 EXAMPLE 4 EXAMPLE 5
2. Assess each project onImpact & Likelihood
3. Generate voterationale for both highand low rated projects(optional)
4. Prioritize previouslyentered list of BusinessGroup Applications bylargest amount of risk(Top X)
5. Generate insights fortop application risks(issues, controls, etc.)
6. Prioritize previouslyentered list of “Other”risks (Top X)
7. Generate insights toimpact and issues for top“Other” risks
8. Generate additionalrisks and/or areasbrainstorm
1. Generate risks (BlankSlate)
2. Identify the top risks(Top X)
3. Assess the top risks onImpact and Likelihood
4. For the highest ratedrisks, generateparticipants’ rationale forvoting the way that theydid
5. Rank top areas ofchange (Rank Order Vote)
6. Generate participants’vote rationale for highestrated top areas of change
7. Access to resourcesassessment? (Yes/No)• Leverage commenting
feature to capturereasoning to ‘No’ votes
8. Additional Questions
1. Risk Validation• Validate a pre-existing
list• Brainstorm additional
risks that may bemissing from the pre-existing list
2. Identify the Top Risks(Top X)
3. Assess top risks onImpact, Likelihood &ManagementPreparedness(Low/Medium/High)
4. Generate voterationale for the highestrated top risks
1. Risk Validation• Validate a pre-existing
list• Brainstorm additional
risks that may bemissing from the pre-existing list
2. Identify the top risks(Top X)
3. Assess top risks ascontrolled or uncontrolled(Yes/No)
1. Prioritize top risks byarea/sector/department/etc. (onearea/sector/department/etc. at a time)• Leverage commenting
feature to capturereasoning to for allselected top risks
2. Prioritize aggregatelist of all “Top Risks byArea” to identify theoverall (spanning allareas/sectors/departments/etc.) top risks
3. Assess top risks onImpact and Likelihood
4. Identify “Top FraudRisks”
5. Assess the “Top FraudRisks” on Impact andLikelihood
Page 47
Internal Audit Example 1 (IT)
Page 48
Example 1 -- Process
► Project (or risk) Validation► Validate a pre-existing list of projects► Generate insights into each project (ensuring alignment and clarity)
► Assess each project on Impact and Likelihood► Generate vote rationale for both high and low rated projects
from the previous assessment (optional)► Prioritize previously entered list of Business Group Applications
by largest amount of risk (Top X)► Generate insights for top application risks (issues, controls,
etc.)► Prioritize previously entered list of “Other” risks (Top X)► Generate insights to impact and issues for top “Other” risks► Generate additional risks and/or areas brainstorm
Page 49
Example 1 -- Project Insights Brainstorm
Page 50
Example 1 -- Projects Impact & LikelihoodAssessment
Page 51
Example 1 -- Vote Rationale for Impact &Likelihood Assessment (Optional)
Page 52
Example 1 -- Application Risks By Area(Business Group)
Page 53
Example 1 -- Clarify Top Application Risksby area (Business Group)
Page 54
Example 1 -- Top Other Risks Assessment
Page 55
Example 1 -- Clarify Top Other Risks
Page 56
Example 1 -- Additional Risks or AreasBrainstorm
Page 57
Internal Audit Option 2
Page 58
Example 2 -- Process
► Generate risks (Blank Slate)► Identify the top risks (Top X)► Assess the top risks on Impact and Likelihood► For the highest rated risks, generate participants’ rationale for
voting the way that they did► Rank top areas of change (using a Rank Order Vote)► Generate participants’ vote rationale for the highest rated top
areas of change► Access to resources assessment? (Yes/No)
► Leverage commenting feature to capture reasoning to ‘No’ votes
► Additional Questions
Page 59
Example 2 -- Generate Risks
Page 60
Example 2 -- Identify the Top Risks
Page 61
Example 2 -- Impact and LikelihoodAssessment of the Top Risks
Page 62
Example 2 -- Rationale for Voting RisksHigh Impact & Likelihood
Page 63
Example 2 -- Ranking Top Areasof Change
Page 64
Example 2 -- Rationale for Ranking TopAreas of Change
Page 65
Example 2 -- Access to ResourcesValidation
Page 66
Example 2 -- Access to ResourcesValidation (Clarify using the assessment comments functionality)
Page 67
Example 2 -- Additional Questions
Page 68
Internal Audit Example 3
Page 69
Example 3 -- Process
► Risk Validation► Validate a pre-existing list► Brainstorm additional risks that may be missing from the pre-existing list
► Identify the Top Risks (Top X)► Assess the top risks on Impact, Likelihood & Management
Preparedness (Low/Medium/High)► Generate vote rationale for the highest rated top risks
Page 70
Example 3 -- Risk Validation (Optional: generateadditional risks that the groups feels are missing from the list)
Page 71
Example 3 -- Top Risks Assessment
Page 72
Example 3 -- Impact, Likelihood, & Degreeof Management Control
Page 73
Example 3 -- Voting Rationale for RisksAssessed as High/Critical
Page 74
Internal Audit Example 4
Page 75
Example 4 -- Process
► Risk Validation► Validate a pre-existing list► Brainstorm additional risks that may be missing from the pre-existing list
► Identify the top risks (Top X)► Assess top risks as controlled or uncontrolled (Yes/No)
Page 76
Example 4 -- Risk Validation
Page 77
Example 4 -- Top Risks Assessment
Page 78
Example 4 -- Controlled Risks Assessment(Identify top uncontrolled risks)
Page 79
Internal Audit Example 5
Page 80
Example 5 -- Process
► Prioritize top risks by area/sector/department/etc. (onearea/sector/department/etc. at a time)► Leverage commenting feature to capture reasoning to for all selected top
risks
► Prioritize aggregate list of all “Top Risks by Area” to identify theoverall (spanning all areas/sectors/departments/etc.) top risks
► Assess the top risks on Impact and Likelihood► Identify “Top Fraud Risks”► Assess the “Top Fraud Risks” on Impact and Likelihood
Page 81
Example 5 -- Top Three Risks byArea/Sector (Strategic)
Page 82
Example 5 -- Top Three Risks byArea/Sector (Clarify using assessment comments functionality)
Page 83
Example 5 -- Top X Risks from AllAreas/Sectors
Page 84
Example 5 -- Impact & LikelihoodAssessment of Top Risks
Page 85
Example 5 -- Top X Fraud Risks
Page 86
Example 5 -- Impact & LikelihoodAssessment of Top Fraud Risks
Page 87
Glossary of Key Risk Terms
Internal Audit Risk AssessmentThinkApp Session – Definitions,Terms & Scales
Page 89
Glossary of Key Risk Terms
► Risk: A risk is any event or circumstance that could affect the achievement of business objectives.Risk is defined in terms of the likelihood of occurrence, and impact in the event that it occurs.
► Contributing Factors / Risk Drivers: Contributing factors are the causal drivers of risk that affecteither the likelihood of occurrence or the severity of business impact of the event or circumstance.Contributing factors are typically considered as being related to either: People, Process, Technologyor External Factors.
► Impact: Significance of the effect on both long-term and short-term objectives, such as financialresults, customer service, regulatory compliance, competitiveness, safety, reputation, environmental,etc. The consideration of expected impact includes both quantitative and qualitative effects tomeasure the severity of the risk event with annualized revenue as the common financialdenominator.
► Likelihood: The probability of a risk occurring over time, estimated relative to the assessed level ofimpact. Attention is paid to past occurrences and those of similar industry peer organizations. Theconsideration of probability of occurrence takes into consideration both the likelihood of a singleevent with a significant impact or multiple events of the same risk that would aggregate to asignificant impact.
► Management Preparedness: The overall effectiveness of mitigation activities and controls currentlyin place to manage risks. The assessment of the management preparedness level is based onjudgment by the participants.
Page 90
Glossary of Key Risk Terms
► Emerging Risk: A condition, situation or trend that could significantly impact theenterprise’s financial strength, competitive position or reputation within the next 5 years.
► Inherent Risk: The exposure of a risk that is intrinsic to the business in the currentenvironment before the consideration of risk management and control activities thathave been designed and implemented to specifically manage a given risk.
► Residual Risk: the exposure to a risk remaining after considering the effect of theexisting risk management and control activities i.e. inherent risk offset by the aggregateimpact of risk management activities and controls equates to residual risk.
► Key Performance Indicators: Business metrics used to evaluate factors that arecrucial to the success of the enterprise organization.
► Key Risk Indicators: Metrics used by organizations to provide an early signal ofincreasing risk exposures in various areas of the enterprise. In some instances, theymay represent key ratios that management throughout the organization track asindicators of evolving risks, and potential opportunities, which signal the need foractions that need to be taken. Others may be more elaborate and involve theaggregation of several individual risk indicators into a multi-dimensional score aboutemerging events that may lead to new risks or opportunities.
Page 91
Defining a Risk Response Strategy3 - QuadrantThe goal of the enterprise risk assessment is to capture not only the significant riskexposures, but also the perceived level of management and control activity. Theseparameters, when combined allow management to determine an appropriate response forthe significant risks and guides ongoing oversight and monitoring. During the workshop wewill validate the enterprise risks are captured to the appropriate action quadrant.
ImproveHigh risk exposures with low levels of controlform the priorities for improvementopportunities.
Managed/TestHigh risk exposures with strong controls andmanagement efforts form the focus for audit toprovide assurance that controls are adequateand efficient.
MonitorRisks that will be managed at the businesslevel that require oversight of CompanyExecutive Management.
High 5.0
Managed /Test
Improve
Ris
kex
posu
re(im
pact
+lik
elih
ood)
/2 4.0
3.0
2.0
Low 1.01.0 2.0 3.0 4.0 5.0High Management preparedness Low
Monitor
Page 92
High 5.0
Ris
kex
posu
re(im
pact
+lik
elih
ood)
/2 4.0
3.0
2.0
Low 1.01.0 2.0 3.0 4.0 5.0High Management preparedness Low
Defining a Risk Response Strategy4 - QuadrantThe goal of the enterprise risk assessment is to capture not only the significant riskexposures, but also the perceived level of management and control activity. Theseparameters, when combined allow management to determine an appropriate response forthe significant risks and guides ongoing oversight and monitoring. During the workshop wewill validate the enterprise risks are captured to the appropriate action quadrant.
ImproveHigh risk exposures with opportunities for mitigationimprovements.
Managed/TestHigh risk exposures with adequate controls andmanagement efforts. Form the audit plan.
MonitorRisks that will be monitored to ensure if theexposure increases, appropriate actions are taken.
OptimizeLow risk exposures with a moderate level of controlmay be consciously accepted or may be a focus tore-allocate resources.
Optimize Monitor
Managed / Test Improve
Page 93
Tier 1 Enterprise Risk Definitions
Key Risks Risk Description
Data Security / Cyber Attack
Data breaches (involving electronic or physical data) of critical confidential data (e.g.,financial information, strategic plans, intellectual property, customer lists/pricing) frominternal (employees) and external sources (hackers) may result in reputational damage,loss of business, or negatively impact earnings
Staffing of Key Roles /Succession Planning
Failure to fill key leadership roles with the right skills and experience as well as aninsufficient number of candidates to backup key management positions may result inloss of corporate knowledge and adversely impact business’s ability to operateeffectively in the event that employee leaves
Acquisition & Integration
With continued execution of global strategic roadmaps for focused growth spaces,consolidated markets and increased competition/pricing for acquisition targets, failureto successfully complete acquisitions, sufficiently integrate and achieve projected ROIon acquisitions may prevent operating companies from expanding into amarket/globally, protecting market share, and growing in adjacent products or markets
Innovation
Failure to sustain proactive focus and application of resources on a global basis toidentify, react and adapt to rapid business model and technological changes due toincreased global competitive pressures, may result in the inability to compete orexecute growth strategies
Page 94
Risk Details
Risk Drivers
• Increasing threat landscape as cyber attacks become more common• Insufficient security measures around IT infrastructure• Insufficient number of skilled specialized resources• Lack of attack detection capabilities as well as response plans• Decentralized IT infrastructure increases management difficulty• Ability to identify and inventory the organization’s most valuable assets in efforts to protect
(restricting access to IP to appropriate individuals)
Impacts • Reputational, Financial, Operational, Legal, Regulatory
MitigationActivities
• Creation of a common data security policy• Increased experience performing Data Security assessments• Increased data security training• Centralized management of IT infrastructure• Implementation of new procedures and technologies to prevent accidental data loss• Shifting to centralized policies and procedures
Data Security / Cyber AttackRisk Definition: Data breaches (involving electronic or physical data) of critical confidential data (e.g., financialinformation, strategic plans, intellectual property, customer lists/pricing) from internal (employees) and external sources(hackers) may result in reputational damage, loss of business, or negatively impact earnings
Page 95
Scale Definitions
Page 96
Assessment of Impact
Rating Financial Operations Compliance Strategic
5Significant
• Profitability: >25%EBIT/EPS
• Value: >25% Loss ofmarket value
• Disclosure: Fiscal yearrestatement
• Scope: Enterprise wide; inability to continuenormal business operations across allbusiness units
• Regulatory / Legal:Management indictmentslarge-scale class actionsRegulatory sanctions
• Strategy: Potential acquisition or bankruptcy• Reputation: Loss of confidence of all stakeholder groups (e.g.,clients, business partners, personnel)
• Market Share: Potentially irrecoverable (i.e., 24-36 months)
4High
• Profitability: >20%EBIT/EPS
• Value: >20% Loss ofmarket value
• Disclosure: Fiscalquarter restatement
• Scope: 3 business units; significantinterruptions to business operations within 3or more business units
• Regulatory / Legal:Management challengedlarge legal liabilitiesRegulatory fines
• Strategy: 2 or more changes in senior leadership, financialrestructuring, significant changes to strategic plan
• Reputation: Loss of confidence by 3 or more stakeholder groups• Market Share: Long-term recovery (i.e.,12-24 months)
3Moderate
• Profitability: >15%EBIT/EPS
• Value: >15% Loss ofmarket value
• Disclosure: Significantdeficiency
• Scope: 2 business units; moderateinterruptions within 2 or more business units
• Regulatory / Legal:Management reviewed legalreserve establishedRegulatory investigation
• Strategy: 1 or more changes in senior leadership, significantchanges to operating plans and execution
• Reputation: Loss of confidence by 2 or more stakeholder groups• Market Share: Mid-term recovery (i.e., 6-12 months)
2Low
• Profitability: >10%EBIT/EPS
• Value: >10% Loss ofmarket value
• Disclosure: Controlweakness
• Scope: 1 Business unit; interruptionsrestricted to 1 business unit
• Regulatory / Legal:Management indictmentslarge-scale class actionsRegulatory sanctions
• Strategy: Refinements or adjustments to operating plans andexecution
• Reputation: Loss of confidence limited to 1 stakeholder group• Market Share: Short-term recovery (i.e., less than 6 months)
1Limited
• Profitability: >5%EBIT/EPS
• Value: >5% Loss ofmarket value
• Disclosure: Additionalrisk disclosure
• Scope: Limited interruptions within 1business unit
• Regulatory / Legal: Limitedliabilities or Regulatoryimpact
• Strategy: Limited adjustment necessary• Reputation: Limited impact to 1 stakeholder group• Market Share: Limited recovery (i.e., less than 3 months)
The following impact assessment criteria are for illustration only. Criteria must be defined by client management andcustomized to suit the nature of each engagement.
Page 97
Assessment of Likelihood
Score/Rating Probability of Occurring Frequency
5Expected
> 90% Yearly
4Highly likely
≤ 90% Every 1-2 years
3Likely
≤ 60% Every 3-5 years
2Not likely
≤ 30% Every 6-9 years
1Rare
≤ 10% Every 10 years and beyond
The probability of a risk occurring over a predefined time period. In most instances this is set at one year but can beadjusted to be aligned with the company’s planning horizon. In some cases, frequency of occurrence may beconsidered as well.
Page 98
Assessment of Management PreparednessThe following management and control activity assessment criteria are for illustration only. Criteria must be defined byclient management and customized to suit the nature of each engagement.
A score may be used to help determine residual risk (if a similar score based approach is used to calculate likelihood and impact). The residual risk formula is asfollows:
Residual Risk = ((Impact x Likelihood) x (1-(Management and Control Level/5)) + (0.2 x (Impact x Likelihood)))
Management can then define the level of risk it attaches to the residual risk score.
Score ManagementPreparedness Description
5 Requires CriticalImprovement
Controls and/or Management Activities are non-existent or have major deficienciesand don’t operate as intended
4Requires
SignificantImprovement
Limited controls and/or Management Activities in place, high level of risk remains
3RequiresModerate
Improvement
Key controls and/or Management Activities in place, with moderate opportunitiesfor improvement identified
2 Requires LimitedImprovement
Controls and/or Management Activities properly designed and operating,with opportunities for improvement identified
1 Requires NoImprovement
Controls and/or Management Activities properly designed and operatingas intended
Page 99
Assessment of VelocityVelocity is a function of Speed and Direction, primarily how fast a particular risk is approaching in terms of months andyears and whether it is approaching the industry, or is very specific to us.
Score/Rating Probability
5Very Fast
Within 1 - 6 months
4Fast
Between 6 - 12 months
3Moderate
Between 1 - 2 years
2Slow
Between 2 - 3 years
1Very Slow
> 3 years