Professional Documents
Culture Documents
5 - Lecture - Risk Assessment
5 - Lecture - Risk Assessment
Operations
Auditing
RISK ASSESSMENT
Risk Assessment
Risk assessment is the process of identifying, measuring,
and analyzing risks relevant to a program or process. This
assessment is systematic, iterative, and subject to both
quantitative and qualitative inputs and factors.
1
25/10/2021
Risk Assessment
“A chain is only strong as its weakest link” (related to the Theory of constraints)
Organizations, programs, processes, and even departments are vulnerable
because the weakest element can always damage, break, or at the very
least adversely affect the outcome
Attention must be focused on performing an inventory of
all the related components, assessing their strengths and
weaknesses, performing gap analysis, identifying
appropriate response, implementing the best remedial
action, and monitoring results
Identification of Risks
2
25/10/2021
Identification of Risks
Limited risk identification may be due to the Auditors’:
Lack of in-depth knowledge about the process
Bias due to common training, particularly in accounting – lack of broad thinking
over other types of risk other than those related to accounting and compliance
Identification of Risks
Internal constraints that the Auditors need to consider:
Equipment – the types of equipment available, and how these are used, might
limit the ability of the process to produce good products or services
People – lack of skills and motivation limits productivity
Policies – written and unwritten policies sometimes prevent the process from
producing good products and services
3
25/10/2021
Measurement of Risks
The measurement process can be either subjective or quantitative,
and either driven by facts or not
The impact of the risk is measured to determine the effect to the
organization if the risks were to materialize
The likelihood of the risk is measured to determine if the risks
were to occur
4
25/10/2021
Measurement of Risks –
Impact of the Risk
Measurement
of Risks –
Likelihood of
the Risk
5
25/10/2021
Measurement of Risks –
The Risk Matrix
The risk matrix is a widely used
and highly effective tool to
record and analyze the
objectives, risks, and controls in
the program or process that is
being audited, as defined in the
scope definition. It provides a
means to capture and analyze
risks in risk-based audits.
Measurement of Risks –
The Risk Matrix
6
25/10/2021
Assessing Risks
The conduct of risk assessment means that we should look for weaknesses
(sometimes referred to as vulnerabilities) that would make an asset susceptible to
damage or loss from the hazard.
Assessing Risks –
Approaches in identifying the relevant
events for review
Objective-based – identify events that may hinder the
ability of the organization to achieve its objectives
7
25/10/2021
Assessing Risks –
Factors that can affect event occurrence
Assessing Risks –
Hazards, Assets at Risk, and Impact
Organizational Hazards
8
25/10/2021
Assessing Risks –
Hazards, Assets at Risk, and Impact
Hazards are relevant to the extent that there are assets that can be negatively
impacted; accordingly, the organization should consider creating a mitigation
strategy.
Assessing Risks –
Hazards, Assets at Risk, and Impact
The organization must be resilient, so as much as anticipating adverse
outcomes is key to success, the lack of flexibility to embrace new
technologies, understand, and capitalize on these new technologies,
financial products, emerging markets, and social dynamics can be a cause
of ruin.
9
25/10/2021
Reference:
Murdock H., Operational Auditing: Principles and Techniques for a Changing World (Second Edition)
10