Risk Assessments for Financial Institutions,
Non-Profits,
Government Agencies, Public Entities and Private Organizations
With the advent of the new
AICPA Statement on Auditing Standard (SAS112), all
external auditors must comment on the effectiveness
of organizations internal controls when they conduct
an audit. A very important factor in judging the
effectiveness of an organization’s internal controls
is the presence of a Risk Assessment. Most organizations have never performed a formal Risk
Assessment. Small organizations being what they are,
their Chief Risk Officer (usually CEO, CFO, or COO)
has a ‘gut feel’ for the risks he or she is facing
on a daily basis. Relative to some risks, effective
controls to mitigate the risk have been implemented,
and for other risks effective controls have not
always been implemented. Lack of time and the
pressure of other business priorities are often
cited as reasons for non-implementation.
Unfortunately, the external auditors will be looking
for some documented proof of the logic or reasoning
used to support addressing some risks and not
others. Most auditors, including members of the
Federal Financial Institutions Examination Council (FFIEC) will be
looking for a non subjective, bottom up approach ensuring that all
levels of the organization have had input to the
Risk Assessment process.
Some executives have reached
out to the consulting community to have an external
third party conduct a Risk Assessment on behalf of
management. This can be a fairly costly undertaking.
It usually consists of a small team of professionals
conducting interviews and/or surveys over a several
day period and then spending a few weeks assembling
the information, collecting additional information
from management, verifying the results and
presenting the results to management. Depending on
the size of organization being audited, this can
cost tens if not hundreds of thousands of dollars.
Small organizations are looking
for cost effective alternatives to this Risk
Assessment process. Typically the management team
conducts their own questionnaires that they either
received from industry associations, their auditor,
the web or other resources they may have at their
disposal. These questionnaires are usually risk
based and do not necessarily reflect the control or
mitigation strategies the organization has already
put in place. It also does little in comparing Risks
or mitigation strategies other than rating them in
terms of High, Low or Medium. This type of rating is
always subjective (“in the eye of the beholder”) so
the auditor can and usually does have a different
opinion then the executive.
This exercise usually requires
some type of tool and there have been a number of
simple excel spreadsheets created that score the
risks 1-2-3 (L-M-H). Management then attempts to
explain to the auditor why they decided to address
scores over some number. In reality, the
organization only has a limited number of resources
and can only afford to address a limited number of
mitigation strategies. However, they should not
necessarily be addressing the Risk Scenarios
(events) with the highest risk, but they should be
addressing the Risks with the highest ratings
(probability and impact) where the organization has
not implemented effective mitigation strategies.
When providing the Risk
Assessment report, the auditor will be looking for
some structure based upon the COSO (Committee of
Sponsoring Organizations) framework. They will be
looking for explanations of the organizations,
control environment, Entity Level Controls,
Monitoring and Risk Response. Terms like Risk
Culture and Risk Tolerance are usually treated with
the words ‘conservative’ and has little meaning to
the executive. However, actions always speak louder
than words, if management was able to compare Risk
and Mitigation strategies utilizing some type of
meaningful scoring mechanism; the results would be a
very good indication of the organizations risk
culture and risk tolerance.
Lastly, the executives always
want to know how their own individual Risk
Assessment stacked up to other similar
organizations. The Visage team is made up of
executives with 20+ years experience in certain
industries, in particular utilities and banking. A
casual observer would think that all banks and all
utilities do essentially the same thing. The truth
is they all do the same thing differently. The Risk
Assessment services industry is no exception, we all
do the same thing, and the truth is, we all do it
differently!
The idea behind the COSO ERM
framework is to give businesses a common framework
when addressing, reporting and mitigating risks.
Having your own Risk Assessment follow this
framework will go a long way in helping the industry
come up with metrics where companies can be
compared. It will also serve as a signal to the
auditor that your organization has done its due
diligence and takes the Risk Assessment process
seriously. However, the important thing is that all
organizations perform Risk Assessments, not because
the auditing community will be expecting one, but
because it will help our business thrive and be in a
position to respond and recover from “unforeseen”
circumstances.
Our Team
Our team is
comprised of experienced executives, managers and
consultants who will assist your banking
organization in the development, implementation and
execution of comprehensive risk management and
compliance strategies. From the initial passage of
Sarbanes-Oxley in 2002, Visage has provided
solutions to a client base ranging from private,
entrepreneurial companies to large multinationals.
