Professional Documents
Culture Documents
ICSPPS - Session 2.2 - Risk Assessment - ICSAO Revised 1
ICSPPS - Session 2.2 - Risk Assessment - ICSAO Revised 1
Risk Assessment
Commission on Audit
Central Office
June 26, 27 & 29, 2023
JAYVIN I. ESTILLORE
State Auditor I
Internal Control Systems Advisory Office
Commission on Audit, SAI Philippines
1
Session Overview
3
Interrelationships of Objectives, Risks and Controls
4
5
the possibility The possibility The
that events of an event probability
The effect occurring that an event
will occur and
of that will have will occur and
affect the
uncertainty an impact on adversely
achievement
on the affect the
of strategy
objectives achievement achievement
and business
objectives of objectives. of objectives.
6
Definition
Risk Assessment
• The process of identifying and
analyzing relevant risks to the
achievement of the agency’s
objectives and determining the
appropriate response.
• Plays a key role in the selection of
the appropriate control activities to
undertake.
• Involves a dynamic and iterative
process
• an agency-wide effort 7
Risk Assessment: Principles
8
P6 Management identifies and defines objectives and risk tolerance
in specific and measurable terms.
Operations Compliance
Reporting Safeguarding
of Assets
12
PF
6.1 Define objectives in specific and measurable terms.
13
PF Define objectives in specific and measurable terms.
6.1
Attributes:
a. Establish,
communicate and Example of Key Objectives – in government environment
monitor the agency
objectives as well
as the strategic Public Interest Performance
plans.
Compliance Budget vs
b. All employees have with law Actual
a basic
understanding of
the agency’s
overall strategy, Safeguarding
Accountability
strategic plan, and of assets
objectives.
14
PF Define objectives in specific and measurable terms.
6.1
Attributes:
a. Establish,
communicate and
monitor the agency
objectives as well
as the strategic
plans.
16
PF Consider internal expectations and external requirements when
6.2 defining objectives.
Attributes:
In establishing the context the agency considers
understanding of the following:
Internal
• Capabilities of the agency in terms of External
resources and knowledge; • Cultural, political, legal, regulatory,
• Information flows and decision-making financial, economic, and competitive
process; environment factors whether
• Internal stakeholders; international, local, national or
• Objectives and strategies in place; regional;
• Perceptions, values, and culture; • Key drivers and trends having impact
• Policies and processes; on the objectives of the agency;
• Standards and reference models adopted by • Perceptions and values of external
the agency; stakeholders.
17
• Structures.
PF Consider the risk tolerances in the context of the agency’s
6.3 applicable laws, regulations, and standards.
Risk Tolerance
Risk Appetite - The amount of risk to which the agency is prepared to be exposed before
it judges an action to be necessary.
It is also set as part of the objective-setting process and are defined for each objective.
18
PF Consider the risk tolerances in the context of the agency’s
6.3 applicable laws, regulations, and standards.
Low High
level level
A risk treatment is an action that is taken to manage a risk.
19
PF Consider the risk tolerances in the context of the agency’s
6.3 applicable laws, regulations, and standards.
This would indicate that the agency deems employee
Target: Consider the motivation programs and compensation structures to be
objective of pursuing appropriately tuned as long as turnover remains at or
employee satisfaction and below 6%.
If turnover were to exceed 8% (6% plus 2% acceptable
retention, with an appetite
variation), the agency would need to take further
of up to 6% employee measures to counter the potential loss of institutional
turnover and an knowledge and the likely decline in employee morale and
acceptable variation (or customer service, all of which would impact its operations
tolerance) of 2%. too significantly.
6% 2% 8%
Low High
level level
20
PF Consider the risk tolerances in the context of the agency’s
6.3 applicable laws, regulations, and standards.
.
Attributes:
21
P7 Management identifies, evaluates, and assesses agency’s risks.
Principal Foci:
7.1 Identify all risks that may occur (internal or external factors) at
both the agency and activity levels.
7.2 Adopt appropriate tools for the analysis and assessment of risks.
22
PF Identify all risks that may occur (internal or external factors)
7.1 at both the agency and activity levels.
Internal
Factors
Agency
Culture
23
PF 7.1 Identify all risks that may occur (internal or external factors) at both the
agency and activity levels.
24
PF Identify all risks that may occur (internal or external factors)
7.1 at both the agency and activity levels.
Strategic Risk
Operations Risk
02
risk that operations are not in order, unethical, uneconomical,
inefficient, and ineffective in executing the government’s operating
model, satisfying the public, and achieving the government’s quality,
cost and time performance objectives.
25
PF Identify all risks that may occur (internal or external factors)
7.1 at both the agency and activity levels.
Compliance Risk
03 non-compliance with prescribed policies and procedures, or laws and
regulations, resulting in lower quality output, higher execution costs, lost
revenues, unnecessary delays, penalties, fines, and so on.
Financial Risk
04 risk that cash flows and financial risks are not managed cost effectively.
26
Strategic Operations Compliance Financial
Planning and resource Public service and Mandate Market
allocation operations • Functions • Interest rate
• Organizational structure • Customer/public • Foreign currency
• Strategic planning satisfaction Governance • Commodity
• Operational Planning • Channel effectiveness • Governing body/ • Financial instrument
• Budgeting • Cycle time management committee
• Forecasting • Service failure performance Liquidity and credit
• Resource allocation • Efficiency • Tone at the top • Cash management
• Capital/fund availability • Capacity • Authority/limit • Opportunity cost
• Operational model • Performance • Control environment • Funding
• Operational portfolio measure/gap • Corporate social • Hedging
• Outsourcing • Partnering/contracting responsibility • Credit and collections
• Reputation • Insurance
Major initiatives People
• Vision and direction • Culture Code of conduct Accounting and reporting
• Planning and execution • Recruiting and retention • Ethics • Accounting, reporting,
• Measurement and monitoring • Development and • Fraud and disclosure
• Technology implementation performance • Employee/third party fraud • Internal control
• Project evaluation • Succession planning • Illegal acts • Investment evaluation
• Change readiness • Knowledge capital • Management fraud • Tax strategy and
• Climate change and • Compensation and • Unauthorized use planning
sustainability initiatives benefits
• Performance incentives Legal Capital structure
Environment dynamics • Contract • Debt
• Health and safety
• Economic changes • Liability • Equity
• Financial market Information technology • Intellectual property • Pension funds
• Sovereign/political • Security/access • Anti-corruption
• Customer/public wants • Availability/continuity • Legal
• Technological innovation • Integrity
• Environment scan • Infrastructure Regulatory
• Agency environment/industry • Trade
• Sensitivity Hazards • Customs
• Natural events • Procurement
Market dynamics
• Terror and malicious • Road-right-of-way (RROW)
• Macroeconomic factors
acts Acquisition
• Lifestyle trends
• Labor
• Sociopolitical Physical assets • Securities
• Technology changes • Real estate • Environment
Communication and public • Property, plant and • Data protection and
relations facilities privacy
• Media relations • Inventory • International
• Public relations • Product/service quality
• Crisis communications • Health and safety
• Employee communication • Competitive practice/ 27
antitrade
Two of the most commonly used tools for identifying
• A team is established wherein they • Each level and part of the agency is
consider the operations and invited to review its activities and feed
activities of the agency, objectives diagnosis of risks faced.
and its related risks
28
PF Identify all risks that may occur (internal or external factors)
7.1 at both the agency and activity levels.
.
Attributes:
29
PF Identify all risks that may occur (internal or external factors) at both
7.1 the agency and activity levels.
Checklist
a. Identify the causes and
sources of risks, events,
situations, or circumstances
which can have a material
impact upon objectives and Benchmarking
the nature of that impact.
Scenario Planning
b. Consider the presence (or
absence) and the
effectiveness of any existing
controls in determining the Vulnerability Assessment
risk’s consequences and
probabilities.
30
PF 7.1 Identify all risks that may occur (internal or external factors) at both the agency and
activity levels.
Brainstorming
a. Identify the causes and
sources of risks, events,
situations, or circumstances
which can have a material
Control Self-Assessment
impact upon objectives and
the nature of that impact.
Questionnaire or survey
b. Consider the presence (or
absence) and the
effectiveness of any existing
controls in determining the Workshop
risk’s consequences and
probabilities.
31
Process for risk identification
Look for events that may precipitate risks
1 •
•
Follow a structured and systematic process
Involving people who bring a range of different perspectives using research to enhance
understanding
• Utilizing brainstorming activities to gain maximum inputs
• Considering the impact of events with respect to desired objectives.
33
7.2 Adopt appropriate tools for the analysis and assessment of risks.
35
PricewaterhouseCoopers
36
www.humanservices.alberta.ca
37
www.humanservices.alberta.ca
38
www.humanservices.alberta.ca
39
www.humanservices.alberta.ca
40
Rating Required Action
Low Manage with routine
controls; monitor and
review
Moderate Develop specific control
and mitigation
procedures; specify
process owner’s
responsibility, monitor
and review
High Develop detailed
mitigation plan, specify
high level officials
responsibility
41
PF 7.2 Adopt appropriate tools for the analysis and assessment of risks.
.
Attribute:
42
PF 7.2 Adopt appropriate tools for the analysis and assessment of risks.
Attribute:
a. Perform periodic review to Risk rating scales are NOT one-size-fits-all and
anticipate and identify
routine events or activities
should be defined as appropriate to enable a
that may affect the agency’s meaningful evaluation and prioritization of the risks
ability to achieve its
objectives and address
identified and facilitate dialog to determine how to
them. allocate resources within the organization.
43
7.3 Consider the potential risks related to fraud and corruption.
44
7.3 Consider the potential risks related to fraud and corruption.
45
7.3 Consider the potential risks related to fraud and corruption.
47
7.3 Consider the potential risks related to fraud and corruption.
Types of Fraud
Fraudulent
Misappropriation
Financial Corruption
of assets
Reporting
Waste Abuse
48
7.3 Consider the potential risks related to fraud and corruption.
Attributes:
50
PF 7.3 Consider the potential risks related to fraud and corruption.
Attributes:
b. A reporting process is
established to solicit input
on potential fraud, and a
coordinated approach to
investigation and corrective
action is used to help
ensure potential fraud is
addressed appropriately
and timely.
51
PF 7.3 Consider the potential risks related to fraud and corruption.
Attributes:
b. A reporting process is
established to solicit input
on potential fraud, and a
coordinated approach to
investigation and corrective
action is used to help
ensure potential fraud is
addressed appropriately
and timely.
52
EXERCISE
2.0
53
RISK ASSESSMENT EXERCISE
Principal Foci:
55
8.1 Design appropriate response to the relevant agency’s risks.
56
8.1 Design appropriate response to the relevant agency’s risks.
mah.gov.on.ca
57
Risk Responses
Sharing/Risk Reduction/Risk
Transfer Treatment
58
Sharing/Risk Transfer
59
Acceptance/Tolerance
60
Reduction/Risk Treatment
61
Avoidance/Terminating of Activity
62
PF 8.1 Design appropriate response to the relevant agency’s risks.
Attribute:
63
PF Design appropriate response to the relevant agency’s risks.
8.1
Attribute:
64
8.2 Identify, analyze and respond to significant changes that could impact the
internal control system.
.
65
8.2 Identify, analyze and respond to significant changes that could impact the
internal control system.
.
Internal and external factors
Internal Changes
personnel
66
8.2 Identify, analyze and respond to significant changes that could impact the
internal control system.
.
Internal and external factors
External Changes
Attributes:
69
PF 8.2 Identify, analyze and respond to significant changes that could
impact the internal control system.
Attributes:
70
SUMMARY
72