Overcoming the Subjectivity Challenge

in Risk Assessments

External Auditors and the board of directors are placing more and more emphasis on Enterprise Wide Risk Assessments. They also are requiring that these risk assessments be non-subjective. This requirement of non-subjectivity may be in response to the overall economic climate, but it also is necessary to build confidence in the overall Risk Assessment process. It may be easier for the Risk Officer to give their perspective during the assessment. However this most certainly will be viewed by the external auditor as subjective. Even if that Risk Officer has 20 years business experience at that particular organization.

But isn’t there going to ALWAYS be some subjectivity in Risk Assessments? Aren’t we really trying to measure the un-measurable? After all, there are a considerable number of risks at an organization that have never occurred and most likely never will. Truly, determining a measuring mechanism for these events will most certainly have some degree of subjectivity!

According to Wikipedia:

Subjectivity refers to a subject's perspective, particularly feelings, beliefs, and desires. It is often used casually to refer to unjustified personal opinions, in contrast to knowledge and justified belief. In philosophy, the term is often contrasted with objectivity.

Business Judgment refers to an informed decision and that decision was not tainted by self-interest.

So although conducting a Risk Assessment for events that never occurred will include our perspective (beliefs and most likely desires), we have to be able to make an “informed” or “objective” decision. An auditor will be looking for some support or evidence that helped us make that decision. This support can come in a number of ways. Industry surveys or best practices can be referenced, internal questionnaires or surveys can be conducted. The bottom line is that the one thing that turns subjectivity into judgment is the fact that it is an “informed” decision and we will have to produce evidence of how we were informed.

Now that we have the ability into making an “informed decision”, we now have to be able to communicate the results of our business judgment. In the past, a very large number of Risk Assessments were based upon a scoring mechanism based upon High-Medium-Low (H-M-L). Having scoring of H-M-L is most likely not going to meet the auditors needs in the future (even if they have approved such a rating in the past!). If you elect to (continue to) use a scoring system of H-M-L, then you should define a range of what each of the H-M-L scores mean. The important thing is to build logic into your scoring system that will allow you can obtain easier buy-in between your board and auditors. Removing as much subjectivity as you can from your scoring system will also contribute to easier buy-in from your stakeholders (including the auditor).

The risk probability and impact ratings for an event help show that all risks are not created equal, some are more important than others. The same logic applies to controls; some controls are more effective than others. A directive control (policy) is not as effective as a detective or preventative control. Automated controls are more effective than manual controls. All these factors need to be applied to your Control scoring system. You also should determine if your control is considered best in class or potentially a meager attempt at mitigating the risk.

It is certainly easier to develop a simple matrix and use scores based on High, Medium and Low and try to convince yourself and the auditor that you are doing the best you can to mitigate risks. However, what you really need to do is develop a system that will allow you to build a better organization, not just something that you can use to check off another box that the task is complete.

In summary, there are (at least) two ways of turning subjectivity from your assessment into business judgment or minimally justified belief:

  • Collect evidence that supports your conclusions and
  • Develop a meaningful scoring system that supports risks and controls to be compared across your organization.

Our Team
Our team is comprised of experienced executives, managers and consultants who will assist your banking organization in the development, implementation and execution of comprehensive risk management and compliance strategies.  From the initial passage of  Sarbanes-Oxley in 2002, Visage has provided solutions to a client base ranging from private, entrepreneurial companies to large multinationals. 

Our Value 

    • Utilizing our proprietary SingleVue™  and OpsAudit™ methodologies, we tailor comprehensive, cost-effective and flexible solutions to our clients.
    • Our solutions enhance your current business processes, rather than adding unnecessary overhead, thus creating measurable long-term value.
    • We involve your executive team, including your internal and external advisors, to guarantee solutions are absolutely consistent with your requirements.

    • We allow you to concentrate on managing your business.

            For More information, visit our home page:  www.visagesolutions.com
 


"The Visage Risk assessment tool and methodology allowed us to respond the risk assessment requirements of the FFIEC in a timely and cost effective manner ".
   Robert Kernodle, SVP and Risk Officer of Cornerstone Bank
 
"Although there is always a degree of subjectivity in any risk assessment, the Visage Risk Assessment tool and methodology is one of the best I've seen in removing subjectivity and providing the underlying support for the scoring system".
   Patrick Camblin Senior Partner in Camblin CPA, PLLC

f you would no longer like to receive periodic updates from VisageSolutions, please follow the unsubscription instructions at the bottom of the email.
Copyright © 2007 Visage Solutions, LLC.