25/10/2021

Operations
Auditing
RISK ASSESSMENT

Prepared by: C. Guerrero

Risk Assessment
Risk assessment is the process of identifying, measuring,
and analyzing risks relevant to a program or process. This
assessment is systematic, iterative, and subject to both
quantitative and qualitative inputs and factors.

It is a process that begins by identifying potential hazards and

analyzing those items to determine what could happen if the
hazards were to occur. An important aspect of this is to
identify and quantify the assets that are at risk.

1
 25/10/2021

Risk Assessment
“A chain is only strong as its weakest link” (related to the Theory of constraints)
 Organizations, programs, processes, and even departments are vulnerable
because the weakest element can always damage, break, or at the very
least adversely affect the outcome
 Attention must be focused on performing an inventory of
all the related components, assessing their strengths and
weaknesses, performing gap analysis, identifying
appropriate response, implementing the best remedial
action, and monitoring results

Identification of Risks

A key aspect of any risk assessment – this takes the

form of a list of risks

 The objective is to identify all the relevant risks

to ensure that all other actions related to the risk
assessment – measurement and analysis of risks,
is not limited

2
 25/10/2021

Identification of Risks
Limited risk identification may be due to the Auditors’:
 Lack of in-depth knowledge about the process
 Bias due to common training, particularly in accounting – lack of broad thinking
over other types of risk other than those related to accounting and compliance

Accordingly, the Auditors should:

 Perform sufficient planning and research
 Include people with an extensive knowledge of the programs or
processes in the risk identification exercise (the employees and
management)
 Use a prepared list

Identification of Risks
Internal constraints that the Auditors need to consider:
 Equipment – the types of equipment available, and how these are used, might
limit the ability of the process to produce good products or services
 People – lack of skills and motivation limits productivity
 Policies – written and unwritten policies sometimes prevent the process from
producing good products and services

3
 25/10/2021

Examples of Operational Risks

Measurement of Risks
 The measurement process can be either subjective or quantitative,
and either driven by facts or not
 The impact of the risk is measured to determine the effect to the
organization if the risks were to materialize
 The likelihood of the risk is measured to determine if the risks
were to occur

Subjective measures are driven by the participants’ experience and

intuition about the risk involved. Its weakness: One person’s
“minor” risk could be someone else’s “moderate”, and so on.

4
 25/10/2021

Measurement of Risks –
Impact of the Risk

Measurement
of Risks –
Likelihood of
the Risk

5
 25/10/2021

Measurement of Risks –
The Risk Matrix
The risk matrix is a widely used
and highly effective tool to
record and analyze the
objectives, risks, and controls in
the program or process that is
being audited, as defined in the
scope definition. It provides a
means to capture and analyze
risks in risk-based audits.

Measurement of Risks –
The Risk Matrix

The layout of the matrix varies

by organization

6
 25/10/2021

Assessing Risks
The conduct of risk assessment means that we should look for weaknesses
(sometimes referred to as vulnerabilities) that would make an asset susceptible to
damage or loss from the hazard.

Vulnerability is defined as the “degree to which

people, property, resources, systems, and cultural,
economic, environmental, and social activity is
susceptible to harm, degradation, or destruction on
being exposed to a hostile agent or “factor.”

Assessing Risks –
Approaches in identifying the relevant
events for review
 Objective-based – identify events that may hinder the
ability of the organization to achieve its objectives

 Scenario-based – identify triggers that can start-stop

different scenarios from occurring; then, upon
understanding these triggers and scenarios, the
organization can better prepare itself to leverage on
opportunities and avoid negative consequences

7
 25/10/2021

Assessing Risks –
Factors that can affect event occurrence

 External – economic, business, natural environment,

political, social, and technological factors (advancement
in technology)

 Internal – infrastructure, personnel, processes, and

technology (available technology within the organization)

Assessing Risks –
Hazards, Assets at Risk, and Impact
Organizational Hazards

8
 25/10/2021

Assessing Risks –
Hazards, Assets at Risk, and Impact
 Hazards are relevant to the extent that there are assets that can be negatively
impacted; accordingly, the organization should consider creating a mitigation
strategy.

 The risk assessment – identifying hazards, assets at risk,

impact, and response activities, serves the organization
well by increasing the likelihood of achieving goals and
objectives.

Assessing Risks –
Hazards, Assets at Risk, and Impact
 The organization must be resilient, so as much as anticipating adverse
outcomes is key to success, the lack of flexibility to embrace new
technologies, understand, and capitalize on these new technologies,
financial products, emerging markets, and social dynamics can be a cause
of ruin.

9
 25/10/2021

Reference:

Murdock H., Operational Auditing: Principles and Techniques for a Changing World (Second Edition)

10