Assessing Organizational Risk
Barry S. Leithhead
Which risk assessment method is right for your organization?
PRICELESS DILBERT CARTOON depicts the pointy-haired boss asking Alice to perform a risk management assessment. After completing her study, Alice informs the boss that “There is no risk of any management in this organization!”
This cartoon unfortunately reflects what can happen when management calls on internal auditing to perform an organizational risk assessment. Often, neither management nor the internal audit staff really knows where or how to begin. As with Alice’s study, such misguided efforts frequently turn up only the most obvious problems, leaving real risks undetected.
An organizational risk assessment is a key tool for governance, and getting it right is important. Selecting the correct method for performing the assessment is a critical first step. Successful audit staffs generally use any of three basic approaches–the database, algorithm, or matrix approach. Understanding the strengths and weaknesses of each method is essential for determining which technique will provide the most value for the organization.
THE DATABASE APPROACH
Compiling a risk database is a popular method for assessing organizational risk. From interviews with each work group, the main products and processes are cataloged, along with the specific risks associated with each unit. Reports can be extracted from the database to search for common risks in all groups or to examine all of the risks faced by a group of related work units.
The database approach is favored by many accounting firms, which may label it “risk profiling” and include it as part of their “enterprise risk management” product line. The process is also preferred by risk managers in the insurance industry, who use it to capture data for individual physical or financial assets or asset groups. The end result is a catalog of assets and their general risk events.
More progressive risk managers include the potential lost revenue for the particular asset or group. For example, a manufacturing plant could be valued at its replacement cost, or it could be valued at its replacement cost plus the lost profits from missed production.
One variation recently supported by the banking industry is to compile a loss-event database detailing all losses. Advocates claim that such databases allow risks to be easily identified and then managed. Loss-event databases focus on past events and usually address only financial loss, making them a poor choice for risk assessments that must cover information, reputation, or human assets.
All database approaches are data-intensive and time-consuming to build–a serious consideration when hiring a consultant to perform the initial assessment. A significant time investment is also required to maintain these databases, and they are quickly outdated in any changing environment.
A further weakness is that the mass of data is too overwhelming for governance decisions, although the level of detail can be useful for providing guidance on risk management to small work units. A number of software packages aid in summarizing the detail data and in displaying the total financial exposure by risk category or asset type, or in total. Auditors should ensure, however, that software is used as a support to intelligent risk analysis, not as a substitute for it. Ensuring that the database targets only significant risks also will help the auditor and management to avoid becoming bogged down in the details. Such targeting calls for pragmatic judgment from a business management perspective about which risks are truly significant, a requirement that may be difficult for some internal auditors to satisfy.
THE ALGORITHM APPROACH
An algorithm is a sequence of steps, usually involving logic and mathematics, that produces a result. Once an algorithm is built to solve a problem, it can be repeatedly used to address like situations.
Algorithms in risk assessment usually involve applying a mathematical equation to each of the organization’s work units and calculating their level of risk. The equations are built using risk factors, along with measures of risk associated with each factor. Risk factors are observable, measurable indications of the presence of risk. For example, “time since last audit” is a common risk factor that expresses the deterioration of control systems over time.
Choosing a number of common risk factors and measuring their strength in each of the organization’s work units creates a risk model, which summarizes and prioritizes the overall risk in each work unit. Experience shows that models work best with four to seven factors, but never more than to. Some models use proportionate weights to distinguish relative importance within the group of factors, while others use equal weights.
Successful algorithms are built utilizing static or dynamic risk factors. Static risk factors are stable over a period of time and represent dimensions of resources like inventory and revenue. Therefore, static factors are not direct indicators of risk.
Dynamic risk factors represent conditions that are unstable over time and therefore require constant monitoring. Variations in activity, volume, and speed, such as the amount of sales, the number of dispatches per day, or the number of minutes of call center wait time, are typical dynamic factors. Risk analysis using dynamic factors seeks to detect the sources and causes of risk, which usually stem from the uncertainty, volatility, diversity, complexity, or hazardous nature associated with the business processes or units being reviewed. A dynamic risk factor indicates the source of risk of a particular type in a particular activity at a particular point in time. To detect an overall trend in risk, dynamic factors must be measured and analyzed over a period of time.
Many benefits are associated with the use of the algorithm approach. Risk models offer a happy medium between the detailed data gathering of the database approach and the broad strategic process of the matrix technique. Unlike the database approach, risk models using algorithms are effective during growth and change. Once the algorithm is created and its results validated, the formula can be applied to new business processes and to current work units. Assumptions regarding risk levels can be easily explained, since they are based on mathematical relationships. The investment in initial data gathering is modest, and the ongoing maintenance effort is low. Risk models built with algorithms often capture and manipulate data with spreadsheets, which are easier to create and use than many of the proprietary products that use databases.
However, using an algorithm for risk assessment can be challenging. First, a broad business knowledge is required of the assessment team, and not all internal audit staffs may possess or be able to acquire such knowledge.
In addition, risk factors used to build algorithms are often based on a list that was developed in the early 1980s. Many of the 19 most popular factors are actually control factors. Using them in risk models serves to identify only the controls that do not work, not the truly significant risks.
THE MATRIX APPROACH
Strategic planners and senior management often favor the matrix approach because of its higher-level focus and graphic display of risk. A matrix is formed with the organization’s business units on one axis and a set of high-level risks on the other axis. The number of risks is usually between 12 and 16, although viable models with as few as four are known. A team assesses each business unit for each risk, and the results are displayed in the appropriate cell on the matrix: green for low risk, yellow for moderate risk, red for high risk, and white–or blank–for “not applicable.”
Alternatively, each business unit may create its own matrix using the same risks, but applying them against smaller work groups within the business unit. These assessments can then be combined to create the organization’s total risk matrix.
One advantage of the matrix approach is that it is flexible and quick to implement. It also provides a three-dimensional look at risk by including the cell contents. Although assumptions are not as easily explained, the impact of the graphical representation of risk is enormous. For example, the clusters of red draw attention to themselves.
Like the algorithm approach, the matrix approach requires that the assessment team possess a great deal of business knowledge to be credible. In addition, maintenance of the matrix can be challenging, because the assessment must be performed any time a significant change is noted. Tracking possible changes in the business units that would warrant a new assessment can be difficult, depending upon the strength of management information systems and reporting. As a result, the matrix does not display the dynamics of the risk profile as easily as a database does.
WHICH APPROACH TO USE?
None of the three methods is considered to be standard or is universally favored by risk assessment professionals. Arguments for each approach can be made, depending on the intended use of the assessment information and on the level of difficulty the organization is willing to accept.
The database technique is the most difficult to implement and maintain and is best used for providing detailed guidance to management. The algorithm approach, which is of most use to operational management, is the easiest to maintain, yet moderately difficult to implement. Conversely, the matrix approach is the easiest to implement, but moderately difficult to maintain. The matrix method best serves strategic management.
Management and the internal audit staff must consider these attributes, along with the organizational resources available and the intended use of the assessment, when determining which approach is right for their organization. A successful, informative risk analysis depends on such careful deliberation.
BARRY S. LEITHHEAD, FCPA CIA, is Managing Director of Leithhead & Associates in Glenorie, Australia.
DAVID McNAMEE, CIA, CISA, CFE, CGFM, is President of Management Control Concepts in Alamo, California.
COPYRIGHT 2000 Institute of Internal Auditors, Inc.
COPYRIGHT 2002 Gale Group