• Risk begins with strategy formulation and objective setting. An organization is in business to achieve particular strategies and
objectives, and risks represent the barriers to successfully achieving those objectives. Therefore, because each organization has somewhat
different strategies and objectives, they also will face different types of risks.
• Risk does not represent a single point estimate (for example, the
most likely outcome). Rather, it represents a range of possible
outcomes. Because many different outcomes are possible, the concept of a range is what creates uncertainty when understanding and evaluating risks.
• Risks may relate to preventing bad things from happening (risk
mitigation), or failing to ensure good things happen (that is, exploiting or pursuing opportunities). Most people focus on preventing bad outcomes—for example, a hazard that needs to be mitigated or eliminated. While many risks do, in fact, present a threat to an organization, failure to achieve positive outcomes also may create a barrier to the achievement of an objective and is also a risk.
• Risks are inherent in all aspects of life—that is, wherever uncertainty exists, one or more risks exist. The examples provided in the previous section on the history of risk illustrate how the understanding of risk has evolved. Those risks specifically associated with organizations conducting a form of business are commonly referred to as business risks. This can be thought of in quite simple terms: uncertainties regarding threats to the achievement of business objectives are considered business risks.
• Internal environment. "Management sets a philosophy regarding risk and establishes a risk appetite. The internal environment encompasses the tone of an organization, and sets the basis for how risk and control are viewed and addressed by an entity's people. The core of any business is its people—their individual attributes, including integrity, ethical values, and competence—and the environment in which they operate."
• Objective setting. "Objectives are set at the strategic level, establishing a basis for operations, reporting, and compliance objectives. Every entity faces a variety of risks from external and internal sources, and a precondition to effective event identification, risk assessment, and risk response is establishment of objectives."
• Event identification. "Management identifies potential events that, if they occur, will affect the entity, and determines whether these events represent opportunities or whether they might adversely affect the entity's ability to successfully implement strategy and achieve objectives. Events with negative impact represent risks, which require management's assessment and response. Events with positive impact represent opportunities, which management channels back into the strategy and objective-setting processes. When identifying events, management considers a variety of internal and external factors that may give rise to risks and opportunities, in the context of the full risk scope of the organization."
• Risk assessment. "Risk assessment allows an entity to consider the extent to which potential events have an impact on achievement of objectives. Management assesses events from two perspectives— likelihood and impact—and normally uses a combination of qualitative and quantitative methods. The positive and negative impacts of potential events should be examined, individually or by category, across the entity. Risks are assessed on both an inherent and residual basis.
Risk response. "Having assessed relevant risks, management determines how it will respond. Responses include risk avoidance, reduction, sharing, and acceptance. In considering its response, management assesses the effect on risk likelihood and impact, as well as costs and benefits, selecting a response that brings residual risk within desired risk tolerances. Management identifies any opportunities that might be available, and takes an entity wide, or portfolio, view of risk, determining whether overall residual risk is within the entity's risk appetite."
• Control activities. "Control activities are the policies and procedures that help ensure that management's risk responses are carried out. Control activities occur throughout the organization, at all levels and in all functions."
• Information and communication. that information must be:
■ Appropriate and at the right level of detail.
■ Timely and available when needed.
■ Current, reflecting the most recent financial or operational information.
■ Accurate and reliable.
■ Accessible to those who need it.
• Establish the context, which focuses on understanding and agreeing on both the external and internal factors that will influence risk management. This activity also encompasses the definition of risk criteria, which are defined as "the terms of reference against which the significance of a risk is evaluated."26 Such terms may include the organization's risk appetite, risk tolerance levels, and criteria against which risk may be assessed (such as impact and likelihood).
• Assess the risks, which involves identifying the risks, analyzing the risks by considering the causes, sources, and types of outcomes, and evaluating the risks to help prioritize which ones should be treated first.
• Treat the risks, which involves making decisions similar to those described in the risk response discussion of COSO earlier in this chapter.
• Monitor risks to identify the onset of a risk event and evaluate whether the risk treatments are having the desired effect. Therefore, it is also important to make sure risk management activities are properly recorded to assist in this monitoring.
• Establish a communication and consultation process to ensure information flows up, down, and across the organization to enable the risk management process.
to linking the audit plan to risk and exposures:
1. In developing the internal audit activity's audit plan, many CAEs find it useful to first develop or update the audit universe ... The CAE may obtain input on the audit universe from senior management and the board.
2. The audit universe can include components from the organization's strategic plan. By incorporating components of the organization's strategic plan, the audit universe will consider and reflect the overall business' objectives. Strategic plans also likely reflect the organization's attitude toward risk and the degree of difficulty to achieving planned objectives. The audit universe will normally be influenced by the results of the risk management process. The organization's strategic plan considers the environment in which the organization operates. These same environmental factors would likely impact the audit universe and assessment of relative risk.
3. The CAE prepares the internal audit activity's audit plan based on the audit universe, input from senior management and the board, and an assessment of risk and exposures ... and information to help them accomplish the organization's objectives, including an assessment of the effectiveness of management's risk management activities.
4. The audit universe and related audit plan are updated to reflect changes ...
5. Audit work schedules are based on, among other factors, an assessment of risk and exposures ... A variety of risk models exist to assist the CAE. Most risk models use risk factors such as impact, likelihood, materiality, asset liquidity, management competence, quality of and adherence to internal controls, degree of change or stability, timing and results of last audit engagement, complexity, and employee and government relations.37