Managing the Risk Assessment Process

A significant number of Risk Officers feel they have a very good handle on the risks their organizations are facing on a daily basis. When using a pre-existing Risk Matrix, their immediate reaction is typically to attempt to start scoring the controls and events using a top down approach. This not the proper approach to use when managing the risk assessment process. However, having the Risk Officer perform their original gut feel assessment, may not necessarily be a poor management technique, as long as the objective is ONLY TO ASSIST WITH THE DESIGN of the overall risk assessment process. This technique will assist in ensuring the Risks, Controls and scoring system is designed properly.

The auditor will be requesting to see the underlying evidence of a bottom up approach. This is required so that all levels of the organization has participated and was able to communicate risks that could affect the entire organization. If the auditor does not see evidence of a bottom up approach, they will most likely discount the Risk Assessment process which will subsequently be viewed negatively on the effectiveness of your internal controls.

There are several techniques that can be employed to build evidence. However the real objective is to collect information from the entire organization to be included in the assessment. Usually a number of different types of questionnaires (or surveys) can be employed. One targeting the entity level control activities, others focusing on a particular event grouping (Information Security, Ethics, etc.). The purpose is to provide input (information to support) for the individual scores being used in the Risk Matrix. The results of the questionnaire or survey should be able to translate into the weighting and scoring system you will be using in the overall Risk Assessment. However it is also important for the survey participant be able to communicate additional risks or controls outside of what you have initially designed.

Having a questionnaire where the answers are completely text based (“How do you…..”), allows the participant to describe how they think a risk is mitigated or control employed. However it requires the most time and effort assembling the results of the survey and translating them into a scoring system.

Having a questionnaire that uses the same scoring (numbering) system you intend to employ in your overall Risk Assessment scheme would be viewed by the auditor as not sufficient, since it would appear you are may be suggesting what you want the answers to be.

A combination of using your scoring system and a space for comments also may be also viewed by your auditor as leading the participant, even if it allows for giving the participant the ability identify  items you may not of thought of.

Another technique to employ would be to ask similar questions to people in different levels in the organization. They may be worded a little differently depending on the responsibility of the person in the organization. This technique is very effective since it attempts to identify the differences between what management thinks versus what may be really happening. 

Questions from industry trade groups that identify ‘common things to worry about’ have often been circulated and should be included into your Risk Analysis and questionnaires.

Therefore most effective approach would be to have several surveys with open ended questions that include some risk categories and control activities incorporated in your overall risk assessment design. The questions should not be leading, but worded in such a way so you can read the comments from the participant and translate those comments into your overall rating scheme. Questions from industry trade groups should be incorporated into the design of the questionnaires to give you sufficient support for the overall scoring system in your Risk Assessment.

The survey approach, although the most effective, is also the most time consuming. The Risk Officer may elect to review different sections of the Risk Matrix with the a number of people who would have received the survey. This technique is still collecting information from the enterprise to feed into the assessment, however it does not provide the evidence required by the auditor. If this technique is used, make sure there is evidence and agreement of the scores put in the scoring system. A simple email with the results of the meeting can considered as evidence by the auditor.

Lastly, remember that the purpose is to have valid information for your Risk Assessment not necessarily to collect evidence so the auditor can check the box.

Our Team
Our team is comprised of experienced executives, managers and consultants who will assist your banking organization in the development, implementation and execution of comprehensive risk management and compliance strategies.  From the initial passage of  Sarbanes-Oxley in 2002, Visage has provided solutions to a client base ranging from private, entrepreneurial companies to large multinationals.