Beyond the Numbers

Addressing organizational risk should encompass more than financial and compliance risk. Many companies focus on financial audit and SOX—and not much else. The reason:  The penalty for not addressing these areas is clear and easily quantified in dollars. But other areas also can negatively affect your company if they’re ignored. The first step to addressing these areas is to make sure all of your business units are identified—I refer to this as the total population of operational areas.

The next step is to establish predictive risk factors that are key to your industry. Predictive factors that can be applied to all business units in all industries include:

  • Management control environment
  • Business exposure
  • Compliance requirements
  • Public or political sensitivity
  • Organizational change or growth
  • Information & reporting
  • Fraud potential
  • Business continuity

Once you’ve identified and weighted the predictive factors, it’s time to sit down with the business unit owners and determine the relevance of each factor in their area of responsibility. Many questionnaires can be used during these interviews to address each of the factors. Areas covered within the management control environment interview include:

  • Adequacy of existing control structure
  • Expertise of management
  • Historical problems
  • Interval since the last audit review
  • Findings during recent assessments
  • Adherence to budget
  • Complexity of operations & technology
  • Overall effectiveness & efficiency of operations

Once all interviews and questionnaires are completed, they can be figured into a risk scoring model, which is great for presenting to executive management and completing an annual audit plan. The risk scoring model assigns a composite risk score based on answers to the questions for each business unit and weighting assigned to the predictive risk factors based on industry. If the process is completed correctly, the risk score card is a great tool for finding areas where a company may be deficient in addressing risk. At a minimum, it will allow management to objectively assess the company’s risk profile.

If this risk assessment exercise is something that could help your organization, please contact us.

The following two tabs change content below.
Philip Baker

Philip Baker

Philip has more than nine years of experience analyzing internal control environments and business risk, including several years with a Fortune 500 financial institution. His primary focus is assisting clients with risk identification and control environment design, leading internal audit teams and making cost-effective recommendations to enhance internal controls.
Philip Baker

Latest posts by Philip Baker (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *