This document discusses risk assessments, including identifying risks, measuring risks, and using a risk matrix. It outlines some key operational risk types like capacity issues, strategic risks, compliance risks, and environmental risks. It also provides examples of impact and likelihood ratings for risks from negligible to catastrophic. The risk matrix is identified as an important tool to analyze objectives, risks, and controls during audits.
This document discusses risk assessments, including identifying risks, measuring risks, and using a risk matrix. It outlines some key operational risk types like capacity issues, strategic risks, compliance risks, and environmental risks. It also provides examples of impact and likelihood ratings for risks from negligible to catastrophic. The risk matrix is identified as an important tool to analyze objectives, risks, and controls during audits.
Original Description:
Computer Information System Audit Chapter 3 Reviewer
This document discusses risk assessments, including identifying risks, measuring risks, and using a risk matrix. It outlines some key operational risk types like capacity issues, strategic risks, compliance risks, and environmental risks. It also provides examples of impact and likelihood ratings for risks from negligible to catastrophic. The risk matrix is identified as an important tool to analyze objectives, risks, and controls during audits.
This document discusses risk assessments, including identifying risks, measuring risks, and using a risk matrix. It outlines some key operational risk types like capacity issues, strategic risks, compliance risks, and environmental risks. It also provides examples of impact and likelihood ratings for risks from negligible to catastrophic. The risk matrix is identified as an important tool to analyze objectives, risks, and controls during audits.
Risk Assessments energy The process of identifying, measuring, and - Business interruption caused by disease analyzing risks relevant to a program or process. Political This assessment is systematic, iterative, and subject to both quantitative and qualitative inputs and - Changes in legislation or regulation due to factors. This is also dependent on the timeframe of government changes the review. - Social unrest triggered by changes in government Identification of Risks It is imperative for internal auditors to remember that A key aspect of any risk assessment. This takes the there are internal and external constraints in form of a list of risks. organizations. Internal constraints include: This is different from risk factors since risk factors Equipment – the types of equipment available and are conditions that exacerbate or diminish a risk. the ways they are used limit the ability of the process Operational Risk Types to produce more high quality goods and deliver services. Capacity (Operational Capacity) People – lack of skilled and motivated workers limits - Inability to produce as many units as required the productive capacity of any process. Attitudes - Process generating excessive amounts of and other mental models embraced by workers can waste lead to behaviors that become a constraint on the - Producing too many defective parts process. - Delivering ordered goods or services past the promised date Policies – written and unwritten policies can prevent - Inability to provide high quality service to the process from producing more if higher quality every customer goods and services.
Strategic (Business Strategies; high goals are Measurement of Risks
aligned with the business’s mission) After identifying risks, they must be measured. The - Failing to maintain beneficial relationships measurement process can be subjective or with customers quantitative and either driven by facts or not. - Computer system’s inability to support the Subjective measures are driven by the participant’s operating unit’s needs experience and intuition about the risks involved. - Manufacturing lines being unable to keep pace with sales growth Impact Ratings by Range - Lack of funding to finance business expansion - Knowledge drain due to employee turnover - Failure to respond to changing customer preferences Compliance - Failure to meet external requirements - Failure to meet internal standards operating Likelihood ratings by Range procedure requirements - Failure to meet combined requirements Natural Environment - Energy supply disruption - Damage from fire, water, or natural disasters Sample Nonlinear Likelihood Ratings - More than 500 people displaced for a prolonged duration. Expanded Likelihood Ratings
Expanded Impact Ratings
Negligible – very low - Very little damage or harm. No disruption in operations. Insignificant number of injuries, number of people displaced, and number of people support required. Marginal – low – minor damage or harm - No significant disruptions in operations. Less likely to cause any significant harm to staff or others and could be managed. Risk Matrix - Small number of people affected. Small number of minor injuries. Minor damage to A widely used and highly effective tool to record and properties. Minor displacement of people for analyze the objectives, risks, and controls in the less than 24 hr. program or process that is being audited as defined in the scope definition. Critical – moderate – significant damage or harm This is an essential ingredient when conducting risk- - Event may cause very short disruptions to based audits, as the provide a means to capture and operations. Likely there is significant injury to analyze these items. staff and could result in moderate loss of assets but event is manageable. - Significant number of casualties. - Localized displacement of more than 100 people for up to 3 days. Severe –high – serious damage or harm - May cause significant disruption or suspension in operations. - May cause significant injury or death of workers or staff. Risk Score - Significant damage requiring external Low = 1 – 8 resources to support local respondents. - 100 – 500 people in danger and displaced for Medium or Moderate = 9 – 17 more than 1 week. High = 18 – 25 Catastrophic – very high – critical – extreme damage To compute for risk score, multiply impact and or harm likelihood. - Long-term suspension of operations and possible office or program closure. - Imminent loss of life.