Session 2

Risk Assessment

Commission on Audit
Central Office
June 26, 27 & 29, 2023

JAYVIN I. ESTILLORE
State Auditor I
Internal Control Systems Advisory Office
Commission on Audit, SAI Philippines

1
Session Overview

IC Component 2: Risk Assessment

• Principles
• Principal foci
• Attributes/Considerations in complying the
Principles
Learning Objective

Given reference materials, lecturette, discussions,

and exercises, participants will be able to describe
Risk Assessment as an internal control
component, its principles, principal foci and
attributes, in accordance with the prescribed internal
control framework and standards, as evaluated by
you, your peers and the facilitator.

3
Interrelationships of Objectives, Risks and Controls

4
5
the possibility The possibility The
that events of an event probability
The effect occurring that an event
will occur and
of that will have will occur and
affect the
uncertainty an impact on adversely
achievement
on the affect the
of strategy
objectives achievement achievement
and business
objectives of objectives. of objectives.

6
Definition
Risk Assessment
• The process of identifying and
analyzing relevant risks to the
achievement of the agency’s
objectives and determining the
appropriate response.
• Plays a key role in the selection of
the appropriate control activities to
undertake.
• Involves a dynamic and iterative
process
• an agency-wide effort 7
Risk Assessment: Principles

6. Management identifies and defines objectives and risk

tolerance in specific and measurable terms.
7. Management identifies, evaluates, and assesses
agency’s risks.
8. Management determines appropriate response to the
identified, evaluated, and assessed agency’s risks.

8
 P6 Management identifies and defines objectives and risk tolerance
in specific and measurable terms.

Setting objectives is a key part

of the management process
related to strategic planning.

Management establishes risk

appetite to serve as a guidepost in
setting strategy and assessing the
relative importance of objectives.
9
P6 Management identifies and defines objectives and risk tolerance
in specific and measurable terms.

Principal Foci: provide guidance in designing, implementing &

evaluating ICs

6.1 Define objectives in specific and measurable

terms.

6.2 Consider internal expectations and external

requirements when defining objectives.

6.3 Consider the risk tolerances in the context of the

agency’s applicable laws, regulations, and
standards.
10
 PF
6.1 Define objectives in specific and measurable terms.
• Set at a strategic level
• Considers risk from internal and
external sources
• Pre-condition to effective event
identification, risk assessment and
risk response
• Must be aligned with agency’s risk
appetite
• Drawn from the agency’s general
objectives
involves clearly defining:
• What is to be achieved?
• Who is to achieve it?
• How will it be achieved?
• The time frames for
achievement.
• May be qualitative and
quantitative
11
General Objectives

Operations Compliance

Reporting Safeguarding
of Assets
12
PF
6.1 Define objectives in specific and measurable terms.

provide further explanation & documentary requirements

Attributes: or include examples

a. Establish, communicate and monitor the agency

objectives as well as the strategic plans.

b. All employees have a basic understanding of the

agency’s overall strategy, strategic plan, and
objectives.

13
 PF Define objectives in specific and measurable terms.
6.1

Attributes:

a. Establish,
communicate and Example of Key Objectives – in government environment
monitor the agency
objectives as well
as the strategic Public Interest Performance
plans.

Compliance Budget vs
b. All employees have with law Actual
a basic
understanding of
the agency’s
overall strategy, Safeguarding
Accountability
strategic plan, and of assets
objectives.
14
 PF Define objectives in specific and measurable terms.
6.1

Attributes:

a. Establish,
communicate and
monitor the agency
objectives as well
as the strategic
plans.

b. All employees have

a basic
understanding of Key Point:
the agency’s
overall strategy, It is important to note that strategy
strategic plan, and cascades from the vision and mission
objectives.
down to general objectives. 15
 PF Consider internal expectations and external requirements
6.2 when defining objectives.

• Standards of conduct • Laws

• Organizational structure • Regulations
• Expectations of competence • Standards

16
 PF Consider internal expectations and external requirements when
6.2 defining objectives.

Attributes:
In establishing the context the agency considers
understanding of the following:
Internal
• Capabilities of the agency in terms of External
resources and knowledge; • Cultural, political, legal, regulatory,
• Information flows and decision-making financial, economic, and competitive
process; environment factors whether
• Internal stakeholders; international, local, national or
• Objectives and strategies in place; regional;
• Perceptions, values, and culture; • Key drivers and trends having impact
• Policies and processes; on the objectives of the agency;
• Standards and reference models adopted by • Perceptions and values of external
the agency; stakeholders.
17
• Structures.
 PF Consider the risk tolerances in the context of the agency’s
6.3 applicable laws, regulations, and standards.

Risk Tolerance

Low Level Risk Appetite High Level

Risk Appetite - The amount of risk to which the agency is prepared to be exposed before
it judges an action to be necessary.

Risk Tolerance - acceptable level of variation in performance relative to the achievement

of objectives.

It is also set as part of the objective-setting process and are defined for each objective.

18
 PF Consider the risk tolerances in the context of the agency’s
6.3 applicable laws, regulations, and standards.

Target: We are planning on

having 500 beneficiaries Risk Tolerance: If
beneficiaries fall below 250 or
Risk Appetite: We are exceeded 700, the program will
accepting risk that may result in be terminated or management
beneficiary counts as low as take a drastic move.
450 and as high as 550

250 450 500 550 700

RISK TOLERANCE RISK APPETITE RISK TOLERANCE

Low High
level level
A risk treatment is an action that is taken to manage a risk.
19
 PF Consider the risk tolerances in the context of the agency’s
6.3 applicable laws, regulations, and standards.
This would indicate that the agency deems employee
Target: Consider the motivation programs and compensation structures to be
objective of pursuing appropriately tuned as long as turnover remains at or
employee satisfaction and below 6%.
If turnover were to exceed 8% (6% plus 2% acceptable
retention, with an appetite
variation), the agency would need to take further
of up to 6% employee measures to counter the potential loss of institutional
turnover and an knowledge and the likely decline in employee morale and
acceptable variation (or customer service, all of which would impact its operations
tolerance) of 2%. too significantly.

6% 2% 8%

RISK APPETITE RISK TOLERANCE

Low High
level level

20
PF Consider the risk tolerances in the context of the agency’s
6.3 applicable laws, regulations, and standards.
.
Attributes:

a. Consider how much risk management is willing to

accept when setting strategic direction and strive to
maintain risk within those levels.

b. Have a risk assessment framework in place.

21
P7 Management identifies, evaluates, and assesses agency’s risks.

Principal Foci:

7.1 Identify all risks that may occur (internal or external factors) at
both the agency and activity levels.

7.2 Adopt appropriate tools for the analysis and assessment of risks.

7.3 Consider the potential risks related to fraud and corruption.

22
PF Identify all risks that may occur (internal or external factors)
7.1 at both the agency and activity levels.

Internal
Factors

Agency
Culture

23
PF 7.1 Identify all risks that may occur (internal or external factors) at both the
agency and activity levels.

• “Clean sheet of paper approach” – such approach

facilitates the identification of changes in the risk
profile of the agency, arising from changes in the
economic and regulatory environments, internal
and external operating conditions, and from the
introduction of new and modified objectives.

• Strategic Approach – identifies risks against key

organizational objectives. Risks relevant to those
objectives are considered and evaluated.

24
PF Identify all risks that may occur (internal or external factors)
7.1 at both the agency and activity levels.

Strategic Risk

01 arises when forces in the environment could significantly “change the

fundamentals” that drive government’s overall social and/or operating
objectives and strategies;

Operations Risk

02
risk that operations are not in order, unethical, uneconomical,
inefficient, and ineffective in executing the government’s operating
model, satisfying the public, and achieving the government’s quality,
cost and time performance objectives.
25
PF Identify all risks that may occur (internal or external factors)
7.1 at both the agency and activity levels.

Compliance Risk
03 non-compliance with prescribed policies and procedures, or laws and
regulations, resulting in lower quality output, higher execution costs, lost
revenues, unnecessary delays, penalties, fines, and so on.

Financial Risk
04 risk that cash flows and financial risks are not managed cost effectively.

26
 Strategic Operations Compliance Financial
Planning and resource Public service and Mandate Market
allocation operations • Functions • Interest rate
• Organizational structure • Customer/public • Foreign currency
• Strategic planning satisfaction Governance • Commodity
• Operational Planning • Channel effectiveness • Governing body/ • Financial instrument
• Budgeting • Cycle time management committee
• Forecasting • Service failure performance Liquidity and credit
• Resource allocation • Efficiency • Tone at the top • Cash management
• Capital/fund availability • Capacity • Authority/limit • Opportunity cost
• Operational model • Performance • Control environment • Funding
• Operational portfolio measure/gap • Corporate social • Hedging
• Outsourcing • Partnering/contracting responsibility • Credit and collections
• Reputation • Insurance
Major initiatives People
• Vision and direction • Culture Code of conduct Accounting and reporting
• Planning and execution • Recruiting and retention • Ethics • Accounting, reporting,
• Measurement and monitoring • Development and • Fraud and disclosure
• Technology implementation performance • Employee/third party fraud • Internal control
• Project evaluation • Succession planning • Illegal acts • Investment evaluation
• Change readiness • Knowledge capital • Management fraud • Tax strategy and
• Climate change and • Compensation and • Unauthorized use planning
sustainability initiatives benefits
• Performance incentives Legal Capital structure
Environment dynamics • Contract • Debt
• Health and safety
• Economic changes • Liability • Equity
• Financial market Information technology • Intellectual property • Pension funds
• Sovereign/political • Security/access • Anti-corruption
• Customer/public wants • Availability/continuity • Legal
• Technological innovation • Integrity
• Environment scan • Infrastructure Regulatory
• Agency environment/industry • Trade
• Sensitivity Hazards • Customs
• Natural events • Procurement
Market dynamics
• Terror and malicious • Road-right-of-way (RROW)
• Macroeconomic factors
acts Acquisition
• Lifestyle trends
• Labor
• Sociopolitical Physical assets • Securities
• Technology changes • Real estate • Environment
Communication and public • Property, plant and • Data protection and
relations facilities privacy
• Media relations • Inventory • International
• Public relations • Product/service quality
• Crisis communications • Health and safety
• Employee communication • Competitive practice/ 27
antitrade
 Two of the most commonly used tools for identifying

1. Commissioning a risk review - (Top 2. Conducting risk self – assessment -

down approach) (Bottom up approach)

• A team is established wherein they • Each level and part of the agency is
consider the operations and invited to review its activities and feed
activities of the agency, objectives diagnosis of risks faced.
and its related risks

28
PF Identify all risks that may occur (internal or external factors)
7.1 at both the agency and activity levels.

.
Attributes:

a. Identify the causes and sources of risks, events, situations, or

circumstances which can have a material impact upon objectives
and the nature of that impact.

b. Consider the presence (or absence) and the effectiveness of any

existing controls in determining the risk’s consequences and
probabilities.

29
PF Identify all risks that may occur (internal or external factors) at both
7.1 the agency and activity levels.

Attributes: Methods in risk identification

Checklist
a. Identify the causes and
sources of risks, events,
situations, or circumstances
which can have a material
impact upon objectives and Benchmarking
the nature of that impact.

Scenario Planning
b. Consider the presence (or
absence) and the
effectiveness of any existing
controls in determining the Vulnerability Assessment
risk’s consequences and
probabilities.
30
 PF 7.1 Identify all risks that may occur (internal or external factors) at both the agency and
activity levels.

Methods in risk identification

Attributes:

Brainstorming
a. Identify the causes and
sources of risks, events,
situations, or circumstances
which can have a material
Control Self-Assessment
impact upon objectives and
the nature of that impact.

Questionnaire or survey
b. Consider the presence (or
absence) and the
effectiveness of any existing
controls in determining the Workshop
risk’s consequences and
probabilities.
31
Process for risk identification
Look for events that may precipitate risks
1 •
•
Follow a structured and systematic process
Involving people who bring a range of different perspectives using research to enhance
understanding
• Utilizing brainstorming activities to gain maximum inputs
• Considering the impact of events with respect to desired objectives.

Develop the risk universe

2 •
•
•
Consider the possible outcomes of events identified.
Group these together to similar sources, causes, or related impacts.
Analyze groups and label each cluster with an appropriate name.
• Write a definition that explains each group related to risks
• Organize the risk universe under major headings to reflect the needs of the agency

Collate all identified risks on a risk register

3 •
•
A structured record of all the key risks and their analysis
Risk register may be compiled and held in different parts of the agency

Source: Sobel and Reding (2012) 32

 7.2 Adopt appropriate tools for the analysis and assessment of risks.

• Management evaluates each identified risk

in terms of its impact and likelihood of
occurrence.

Represents the scale of the effect that the event

will have on the agency’s ability to achieve its
objectives.

Possibility that an event will occur in a given period

of time.

33
 7.2 Adopt appropriate tools for the analysis and assessment of risks.

Risk rating scales may be defined in quantitative and/or qualitative terms.

Quantitative rating scales bring a greater degree of precision and

measurability to the risk assessment process.

Qualitative terms need to be used when risks do not lend themselves

to quantification, when credible data is not available, or when obtaining
and analyzing data is not cost-effective.
34
PricewaterhouseCoopers

35
PricewaterhouseCoopers

36
www.humanservices.alberta.ca
37
www.humanservices.alberta.ca
38
www.humanservices.alberta.ca
39
www.humanservices.alberta.ca
40
 Rating Required Action
Low Manage with routine
controls; monitor and
review
Moderate Develop specific control
and mitigation
procedures; specify
process owner’s
responsibility, monitor
and review
High Develop detailed
mitigation plan, specify
high level officials
responsibility

41
PF 7.2 Adopt appropriate tools for the analysis and assessment of risks.
.

Attribute:

a. Perform periodic review to anticipate and

identify routine events or activities that may
affect the agency’s ability to achieve its
objectives and address them.

42
PF 7.2 Adopt appropriate tools for the analysis and assessment of risks.

Attribute:

a. Perform periodic review to Risk rating scales are NOT one-size-fits-all and
anticipate and identify
routine events or activities
should be defined as appropriate to enable a
that may affect the agency’s meaningful evaluation and prioritization of the risks
ability to achieve its
objectives and address
identified and facilitate dialog to determine how to
them. allocate resources within the organization.

43
 7.3 Consider the potential risks related to fraud and corruption.

• All government agencies need to consider the potential for

fraud to occur in their operation.

Definition of Fraud (ICSPPS Handbook)

“An unlawful interaction between two entities, where one

party intentionally deceives the other through the means of
false representation in order to gain illicit and unjust
advantage. It involves acts of deceit, trickery, concealment, or
breach of confidence that are used to gain some unfair or
dishonest advantage.”

44
7.3 Consider the potential risks related to fraud and corruption.

45
7.3 Consider the potential risks related to fraud and corruption.

COA Memorandum No. 93-813, dated July 9, 1993

“Fraud is deemed to comprise anything calculated to

deceive, including all acts, omissions, and concealment
involving a breach of legal or equitable duty, trust, or
confidence justly reposed, resulting in damage to another,
or by which an undue and unconscionable advantage is
taken of another.

Fraud indicates that there has been disclosure or detection

of deceit, abuse, wastage or illegal act that has resulted in
loss or damage to public funds and properties.
Consequently, there has been a violation of law, rule or
regulation.”
46
7.3 Consider the potential risks related to fraud and corruption.

Corruption involves effort to influence and/or the

abuse of public authority through the giving or the
acceptance of inducement or illegal reward for
undue personal or private advantage.

47
7.3 Consider the potential risks related to fraud and corruption.

Types of Fraud

Fraudulent
Misappropriation
Financial Corruption
of assets
Reporting

Waste Abuse

48
 7.3 Consider the potential risks related to fraud and corruption.

Fraud Risk Factors

• Incentive/Pressure – Management and/or other personnel have an incentive or

are under pressure which provides a motive to commit fraud.
• Opportunity – Circumstances such as the absence of controls, or the ability of
management to override controls exist that provide an opportunity to commit
fraud.
• Attitude/Rationalization – Individuals involved are able to rationalize committing
fraud. Example of which are individuals that possess an attitude, character or
ethical value that allow them to knowingly and intentionally commit a dishonest 49
act.
PF 7.3 Consider the potential risks related to fraud and corruption.

Attributes:

a. Fraud risk exposures are assessed periodically to

identify specific potential schemes and events that
the agency needs to mitigate.

b. A reporting process is established to solicit input

on potential fraud, and a coordinated approach to
investigation and corrective action is used to help
ensure potential fraud is addressed appropriately
and timely.

50
 PF 7.3 Consider the potential risks related to fraud and corruption.

Attributes:

a. Fraud risk exposures are

assessed periodically to
identify specific potential
schemes and events that
the agency needs to
mitigate.

b. A reporting process is
established to solicit input
on potential fraud, and a
coordinated approach to
investigation and corrective
action is used to help
ensure potential fraud is
addressed appropriately
and timely.
51
PF 7.3 Consider the potential risks related to fraud and corruption.

Attributes:

a. Fraud risk exposures are

assessed periodically to
identify specific potential
schemes and events that
the agency needs to
mitigate.

b. A reporting process is
established to solicit input
on potential fraud, and a
coordinated approach to
investigation and corrective
action is used to help
ensure potential fraud is
addressed appropriately
and timely.
52
EXERCISE
2.0

53
RISK ASSESSMENT EXERCISE

OBJECTIVES RISK DESCRIPTION LIKELIHOOD IMPACT RISK RATING CONTROL

ACTIVITIES
Procure 1. Risk that procured L M L
computers in desktop computers
compliance specifications are
with RA 9184 customized

COA Style Guide 54

P8 Management determines appropriate response to the identified,
evaluated, and assessed agency’s risks.

Principal Foci:

8.1 Design appropriate response to the relevant agency’s risks.

8.2 Identify, analyze, and respond to significant changes that could

impact the internal control system.

55
 8.1 Design appropriate response to the relevant agency’s risks.

• Based on the significance of the analyzed risks, responses by

management may be to accept, avoid, reduce, or share them in
an effort to ensure risks are within the established tolerances for
each objective.

• Management may need to re-evaluate its risk tolerance or its

responses if the program is unable to provide assurance that the
objectives will be achieved.

56
8.1 Design appropriate response to the relevant agency’s risks.

mah.gov.on.ca

57
Risk Responses

Sharing/Risk Reduction/Risk
Transfer Treatment

Acceptance/Tolerance Avoidance/Terminating of Activity

58
Sharing/Risk Transfer

• Reduces the likelihood or the impact of the risk

• Can be done thru insurance or thru a third party who assumes
the risk
• Applies only to financial risks, asset risks and outsourcing
activities

59
Acceptance/Tolerance

• No action taken whether as to likelihood or impact

• Responses are not cost-effective
• Can be supplemented by contingency plans

60
Reduction/Risk Treatment

• Also known as “control procedures”

• Action is taken to reduce the likelihood, impact or
both of the risk
• Includes the day to day decisions made by the
agency

61
Avoidance/Terminating of Activity

• Leaving the Activity which may cause the occurrence

or the aggravation of the risk
• Maybe useful when considering new methodologies
for delivery of service (ex: decision whether an
activity is appropriate or not or to continue or
discontinue a specific project

62
PF 8.1 Design appropriate response to the relevant agency’s risks.

Attribute:

a. Oversight and monitoring the risk assessment

process and actions taken to address the
significant risks identified is done by the head of
agency or the governing body.

63
 PF Design appropriate response to the relevant agency’s risks.
8.1

Attribute:

a. Oversight and monitoring

the risk assessment
process and actions taken
to address the significant
risks identified is done by
the head of agency or the
governing body.

64
8.2 Identify, analyze and respond to significant changes that could impact the
internal control system.
.

• Change is constant, therefore management should anticipate and plan

for these changes to come.

• Identification should be on a timely basis and considers both external

and internal conditions that have occurred and will occur.

• Communicated across the agency to the appropriate personnel.

65
 8.2 Identify, analyze and respond to significant changes that could impact the
internal control system.
.
Internal and external factors
Internal Changes

programs or activities oversight structure

organizational structure technology

personnel

66
8.2 Identify, analyze and respond to significant changes that could impact the
internal control system.
.
Internal and external factors
External Changes

Government Economic environment

Technological Legal and regulatory Physical

environment environment environment
67
• Conditions affecting the agency • Based on the analysis made,
and its environment are analysed response may be made by revising the
as existing controls may not be internal control system, on a timely
effective. basis or when necessary.

Further, changing conditions prompt new risks

or changes to existing risks that need to be
assessed.
68
PF 8.2 Identify, analyze and respond to significant changes that could
impact the internal control system.

Attributes:

a. Processes are in place to inform appropriate

levels of management about changes with
possible significant effects on the agency.

b. There are groups or individuals who are

responsible for anticipating or identifying changes
with possible significant effects on the agency.

69
 PF 8.2 Identify, analyze and respond to significant changes that could
impact the internal control system.
Attributes:

a. Processes are in place to

inform appropriate
levels of management
about changes with
possible significant effects
on the agency

b. There are groups or

individuals who are
responsible for anticipating
or identifying changes with
possible significant effects
on the agency.

70
SUMMARY
72