risk assessments re-imagined - chapters site county/iia oc...internal audit – it annual risk...

Risk AssessmentsRe-Imagined2017 IIA Orange County Fall Event“Agility in a changing landscape”

Session objective

Present a Risk Assessment approach that reflects the themefor this year’s IIA Los Angeles Conference:

“Agility in a changing landscape”

Agenda

► Session objective► Introduction► Compression of traditional Risk Assessment approach vs

EY’s innovative approach► Case Study► Questions

EY’s approach for Risk Assessments

Traditional Risk Assessments approach

► Performed once or twice a year► Time consuming one-on-one interviews

► Manual aggregation of results► Difficulty in keeping interviews consistent

► Information flows in one direction► Haphazard updates to risk register / universe► Lack of transparency► Results lack buy-in

EY’s innovative approach

► Engages all participants► Accelerates speed to outcomes► Removes barriers to effective collaboration► Drives alignment and buy-in► Improved quality of results► Superior experience

Many-to-manyfunctionality

dramaticallyincreases

the number ofideas generated.

Viewreal-time results.

Anonymityfrees ideas,

providing open,honest feedback.

EY’s innovative approach

► How? ThinkTank – Online collaboration tool. ThinkTank enabledactivities:► Anonymity promotes honest input, regardless of position or who else is

participating► Simultaneous contributions enables fast, effective risk identification and

clarification, which allows more time for deep discussion and analysis, generatinggreater buy-in

► Instant vote results representation allows for immediate analysis; quickly identifyalignment or strong differences in opinions that will require further discussion

► The ability to gather input, clarify for shared understanding, and prioritize andevaluate risks on Impact, Likelihood, Management Preparedness

► Gather both quantitative as well as qualitative data, vote results with votereasoning

► Process and outcomes transparency; every input and assessment captured inreal time

► Leverage the platform’s virtual collaborative capabilities to engage moreparticipants and reduce travel costs

Case study

EY’s ThinkApp for Risk Assessments

STEP 1Generate /Validate /

Clarify Risks

OPTION 3Starting with a“Blank Slate”

OPTION 1Starting with apre-defined list(review/clarifypurposes only)

OPTION 2Starting with apredefined list(review/clarify)

and ability to addnew risks

STEP 2Prioritize

Risks

TOP XASSESSMENT

Pick your Top X(Risks, projects,

etc.)

Options: Capturevote reasoning

with commentingfeature

STEP 3Assess Top

Risks

STEP 4Top Risks

AssessmentRationale

OPTION 1Clarify vote

rationale for highand/or low

assessed risks

OPTION 2Clarify drivers,

root causes,controls, etc. for

high assessedrisks

STEP 5End of

SessionActivities

OPTION 1Additional risks or

areas

OPTION 2Any additional

questions

OPTION 3Feedback on

session,technology,approach, or

anything missed.

IMPACT,LIKELIHOOD,

MANAGEMENTPREPAREDNESS,AND VELOCITY

Multi-criteriaassessment of the

Top X risks)

Options: Velocityis optional (deletethe column if youdo not intend to

assess it).

Case study approach

► In-depth review of EY’s 5-step process for RiskAssessments

► For each step we will cover:► ThinkTank activities / options► Objectives for each of the activities► Summary of benefits of innovative approach vs traditional

approach


Clarify Risks





Generate / Validate / Clarify Risks

Select

Provide input here


Clarify Risks






Select

Add new risks here


Clarify Risks






Add new risks here


► Risk register may beoutdated or missing keyrisks

► Participants may notunderstand the risks

► Lack of ownership byparticipants

► Risk register is up to datewith input from participants

► Shared understanding ofrisks by all participants

► Buy-in from participantssince they were part of theprocess

Traditional approach ThinkApp approach

Prioritize risks

STEP 2Prioritize

Risks

TOP XASSESSMENT


etc.)



Ability to provide selection rationale

Prioritize top 3 risks (or top X risks)

Prioritize risks

STEP 2Prioritize

Risks

TOP XASSESSMENT


etc.)



Prioritize risks

► Manual aggregation of riskprioritization

► Limited input due to limitednumber of participants

► Lack of visibility ofaggregate risk view byparticipants

► No-buy in from participants

► Automated prioritization ofrisks by participants

► Organized mechanism tocapture rationale for riskranking

► Immediate visibility toHIGH and LOW risk



Assess top risks

STEP 3Assess Top

Risks

IMPACT,LIKELIHOOD,



Top X risks)


assess it).

Ability to provideselection rationale

Assess top risks

STEP 3Assess Top

Risks

IMPACT,LIKELIHOOD,



Top X risks)


assess it).

Ability to toggle between tabs

Assess top risks

► Manual aggregation of riskassessments

► Limited input due to limitednumber of participants

► Lack of visibility ofaggregate risk view byparticipants

► No-buy in from participants

► Automated aggregationand charting of risksassessment results

► Immediate visibility to heatmap - “WOW factor”


► Enables intelligentdiscussion


Top risk assessment rationale

STEP 4Top Risks

AssessmentRationale

OPTION 1Clarify vote

rationale for highand/or low

assessed risks

OPTION 2Clarify drivers,

root causes,controls, etc. for

high assessedrisks

Select

Provide input here

Top risk assessment rationale

► Typically rationale is notshared with participantsdue to interview nature ofrisk assessment

► One voice may speak“louder” or carry moreweight than others

► Enables intelligentdiscussion

► Anonymous featureensures that participantsfeel comfortable providinghonest input

► Participants, includingleadership, leave sessionwith increased awarenessof the organization’s risks


Risk response discussion

Risk response discussion

► Typically risk response isshared only with someparticipants due tointerview nature of riskassessment

► May require multiplediscussions to obtainalignment due to lack ofvisibility into process andresults

► Enables immediate sharingof risk response

► All participants are awareof the planned riskresponse

► Significant higher buy-in, ifnot complete buy-in, thantraditional approach

► Increased accountabilityfor trouble areas


End of session activities

STEP 5End of

SessionActivities

OPTION 1Additional risks or

areas

OPTION 2Any additional

questions

OPTION 3Feedback on

session,technology,approach, or

anything missed.

Participant FeedbackDo you have any comments on the process and technology used for today's meeting?

“This was great - great process, love the tool”

“Excellent, we should usethis format more. Very wellmanaged, great tool, greatmoderation.”

“Great way to get everyone's feedback in a quick manner.”

“The tool worked really well.The anonymous nature of it is nice,gives people the freedom to saythings maybe they wouldn't.”

“Everything aboutthis was spot on”

“The tool was great,should be used more often.”

“This was great! I'd like us (IT) to use this inother forms of collaboration - SWOT Analysis,Strategy development, etc. etc.”

“Anonymous collection of feedback a goodapproach as we have IT leaders that like todominate topics and are not always open toviews of others.”

“I think this is a great initiative! This will guidethe team better on the assessment for possiblesolutions we can implement to benefit the company.Congratulations!”

“Excellent approach to getmeaningful results quickly.”

“This was great , fast and dynamic,sure beats 20+ people all talking at once.”

“Excellent collaborationmethod. Nice to be able tobrainstorm so effortlessly.”

Questions?

Shouldn’t your Risk Assessmentapproach reflect the current digitalcapabilities?

Yuliya PoutkaradzeEY Risk [email protected]+1-949-307-4686 direct

Mayra TolosaEY Risk [email protected]+1-213-924-5757 mobile+1-213-977-3195 office

Additional content

How it works andclient successes

Global Manufacturing CompanyInternal Audit – IT Annual Risk Assessment & IA Audit Priorities for Major Projects and Applications

Internal Audit wanted to engage a largerglobal audience to determine the Priority ITprojects and applications to include in theannual audit plan.

Situation

Leveraging Digital► Engage a much larger

global stakeholderpopulation - to increasetransparency andownership of IA priorities.

► Complete the Project,Application Riskassessment in acondensed time period(3 two hour virtualsessions).

► Reduced travel costs byconducting global virtualsessions.

Outcomes► Dramatically increased

shared understanding ofProjects and Risks

► 5 times the number ofstakeholders engagedcompared to theprevious risk assessment

► Thorough evaluation ofImpact, Likelihood, andManagementEffectiveness foridentified IT RisksIncrease transparency and global buy-in to

the IT Projects and Applications to includein the IA annual plan.

Objective

Global Agriculture CompanyRisk Assessment

Engage numerous stakeholders frommultiple locations throughout AsiaPac inone week

Situation

Leveraging Digital► Hosted mixed sessions

of both face-to-face andvirtual participantssimultaneously

► Completed 8 sessions in4 days, engaging 150+participants in numerouscountries

► Anonymous contributionsallowed for open andhonest feedback,breaking language andcultural barriers

Outcomes► Generated, categorized,

clarified, and prioritizedhundreds of risks in avery short amount of time

► Provided key insight onplaces to focus based onprioritization andassessment results ofeach session

► Now looking toimplement a digitalapproach for other keyprocesses throughout thecompany

Gather and assess risks facing theorganization from numerous divisions anddepartments throughout region

Objective

Global Automotive CompanyPerformance Assessment for Finance Transformation

The Transformation was drastically over-budget and under-deployed, creatingresistance and negative perceptions

Situation

Leveraging Digital

► Engage a much largerstakeholder population -well beyond theTransformation team

► Complete theassessment in acondensed time period

► Leverage anonymity toget a more complete andhonest assessmentwithout rank or politicsinhibiting feedback

Outcomes► Delayed the next phase

as a result of the EYassessment

► 3 times the number ofstakeholders engagedcompared to theprevious assessment

► More complete andhonest feedback

► All data and assessmentresults consolidated andpresented within 24hours of the last session

Assess readiness of deploying next phaseat next manufacturing location

Objective

Global Technology CompanyVendor requirements gathering and prioritization

Requirements were generated by theclient, however they needed verificationand prioritization from their vendors

Situation

Leveraging Digital► Rapidly verified and

clarified all existingrequirements asparticipants couldcontribute all at once

► Added numerousrequirements for each ofthe 5 sections of the tool

► Quickly assessed allexisting and newrequirements on a 2criteria scale –importance vs. speed

Outcomes► Verified and clarified

existing requirements,produced newrequirements, andgenerated detailed heatmaps for all 5 sections –all within 4 hours

► Allowed each vendor togain insight onrequirements of others

► Client has now expandedthese sessionsthroughout N America

Verify all requirements produced by theclient, identify any that were missed,prioritize and assess all requirements

Objective

Risk Universe®

By Sector

EY Risk Universe by SectorContents

► Automotive► Banking and Capital Markets► Consumer Products and Retail► Government and Public Sector► Health► Life Sciences► Media and Entertainment

► Advertising andMeasurement

► Broadcast and Cable► Content and Information

Services► Film, Television, and Gaming► Multichannel Video

Programming Distributor

► Mining► Power and Utilities► Real Estate, Hospitality, and

Construction► Technology► Wealth and Asset Management

Risk Universe®

Automotive

Legal/recall

RegulatoryCode ofconduct

Governance

Planning andresourceallocation

Mergers,acquisitions and

divestitures

Accounting andreporting

Liquidityand credit

Customerexpectations /

sales andmarketing

Productsafety

People andhuman

resources

InformationTechnology/cybersecurity

Supply chain

Physicalassets

Compliance

Strategic

Communicationand investor

relations

MarketDynamics/Gov’t policy

Market

Operations

Capitalstructure

Financial

Majorinitiatives

Risk Universe

Strategic Compliance Operations Financial

Taxoperations

EY Risk UniverseAutomotive

EY Risk UniverseAutomotiveStrategic Operations Compliance Financial

Governance• Board performance• Tone at the top• Control environment• Corporate social responsibilityPlanning and resource allocation• Organizational structure• Strategic planning• Budgeting• Forecasting• Joint ventures / alliances and

partnerships• Special purpose entities• Technology enablement• Tax planningMergers, acquisitions and divestures• Valuation and pricing• Due diligence• Execution and integrationMarket dynamics / government policy• Competition• Pricing pressures• Lifestyle trends• Customer and platform mix• Macroeconomic factors• Sociopolitical factorsCommunication and investor relations• Media relations• Crisis communication• Employee communicationMajor initiatives• Vision and direction• Planning and execution• Measurement and monitoring• Technology implementation• Business acceptance

Customer expectations / sales andmarketing• Marketing• Advertising• Research and development• Sales and pricing• Customer support/managementSupply chain• Master planning and forecasting• Procurement and inventory• Production• Transportation and logistics• Transfer pricing• DistributionPeople and human resources• Culture• Recruiting and retention• Development and performance• Succession planning• Compensation and benefits• Labor relationsInformation Technology / cybersecurity• IT management• Information protection• IT availability/continuity• IT spend• Decision support• IT architectureHazards• Natural events• Terror and malicious actsPhysical assets• Real estate• Property, plant and facilities• InventoryTax operations• Property taxes• Tax department operations• Tax technology and knowledge

management

Code of conduct• Ethics• FraudLegal• Contract• Liability• Intellectual property• AnticorruptionRegulatory• Trade• Customs• Labor• Securities• Environment• Data protection and privacy• Product quality• Health and safety• Competitive prices and anti trade• Tax compliance and tax authority

examination management• Sales and marketing

Market• Interest rate• Foreign currency• Commodity• DerivativesLiquidity and credit• Cash management• Funding• Hedging• Credit and collections• InsuranceAccounting and reporting• Accounting, reporting and disclosure• Reporting and information integrityCapital structure• Debt• Equity• Pension funds• Stock options

EY Risk UniverseAutomotive

For more detailed information and risk details/definitions CLICK HERE

Additional examples

1 January 2014 Presentation title

1. Project Validation• Validate a pre-existing list

of projects (or risks)• Generate insights into

each project (ensuringalignment and clarity)

EXAMPLE 1 EXAMPLE 2 EXAMPLE 3 EXAMPLE 4 EXAMPLE 5

2. Assess each project onImpact & Likelihood

3. Generate voterationale for both highand low rated projects(optional)

4. Prioritize previouslyentered list of BusinessGroup Applications bylargest amount of risk(Top X)

5. Generate insights fortop application risks(issues, controls, etc.)

6. Prioritize previouslyentered list of “Other”risks (Top X)

7. Generate insights toimpact and issues for top“Other” risks

8. Generate additionalrisks and/or areasbrainstorm

1. Generate risks (BlankSlate)

2. Identify the top risks(Top X)

3. Assess the top risks onImpact and Likelihood

4. For the highest ratedrisks, generateparticipants’ rationale forvoting the way that theydid

5. Rank top areas ofchange (Rank Order Vote)

6. Generate participants’vote rationale for highestrated top areas of change

7. Access to resourcesassessment? (Yes/No)• Leverage commenting

feature to capturereasoning to ‘No’ votes

8. Additional Questions

1. Risk Validation• Validate a pre-existing

list• Brainstorm additional

risks that may bemissing from the pre-existing list

2. Identify the Top Risks(Top X)

3. Assess top risks onImpact, Likelihood &ManagementPreparedness(Low/Medium/High)

4. Generate voterationale for the highestrated top risks

1. Risk Validation• Validate a pre-existing

list• Brainstorm additional

risks that may bemissing from the pre-existing list

2. Identify the top risks(Top X)

3. Assess top risks ascontrolled or uncontrolled(Yes/No)

1. Prioritize top risks byarea/sector/department/etc. (onearea/sector/department/etc. at a time)• Leverage commenting

feature to capturereasoning to for allselected top risks

2. Prioritize aggregatelist of all “Top Risks byArea” to identify theoverall (spanning allareas/sectors/departments/etc.) top risks

3. Assess top risks onImpact and Likelihood

4. Identify “Top FraudRisks”

5. Assess the “Top FraudRisks” on Impact andLikelihood

Internal Audit Example 1 (IT)

Example 1 -- Process

► Project (or risk) Validation► Validate a pre-existing list of projects► Generate insights into each project (ensuring alignment and clarity)

► Assess each project on Impact and Likelihood► Generate vote rationale for both high and low rated projects

from the previous assessment (optional)► Prioritize previously entered list of Business Group Applications

by largest amount of risk (Top X)► Generate insights for top application risks (issues, controls,

etc.)► Prioritize previously entered list of “Other” risks (Top X)► Generate insights to impact and issues for top “Other” risks► Generate additional risks and/or areas brainstorm

Example 1 -- Project Insights Brainstorm

Example 1 -- Projects Impact & LikelihoodAssessment

Example 1 -- Vote Rationale for Impact &Likelihood Assessment (Optional)

Example 1 -- Application Risks By Area(Business Group)

Example 1 -- Clarify Top Application Risksby area (Business Group)

Example 1 -- Top Other Risks Assessment

Example 1 -- Clarify Top Other Risks

Example 1 -- Additional Risks or AreasBrainstorm

Internal Audit Option 2


► Generate risks (Blank Slate)► Identify the top risks (Top X)► Assess the top risks on Impact and Likelihood► For the highest rated risks, generate participants’ rationale for

voting the way that they did► Rank top areas of change (using a Rank Order Vote)► Generate participants’ vote rationale for the highest rated top

areas of change► Access to resources assessment? (Yes/No)

► Leverage commenting feature to capture reasoning to ‘No’ votes

► Additional Questions

Example 2 -- Generate Risks

Example 2 -- Identify the Top Risks

Example 2 -- Impact and LikelihoodAssessment of the Top Risks

Example 2 -- Rationale for Voting RisksHigh Impact & Likelihood

Example 2 -- Ranking Top Areasof Change

Example 2 -- Rationale for Ranking TopAreas of Change

Example 2 -- Access to ResourcesValidation

Example 2 -- Access to ResourcesValidation (Clarify using the assessment comments functionality)

Example 2 -- Additional Questions

Internal Audit Example 3


► Risk Validation► Validate a pre-existing list► Brainstorm additional risks that may be missing from the pre-existing list

► Identify the Top Risks (Top X)► Assess the top risks on Impact, Likelihood & Management

Preparedness (Low/Medium/High)► Generate vote rationale for the highest rated top risks

Example 3 -- Risk Validation (Optional: generateadditional risks that the groups feels are missing from the list)

Example 3 -- Top Risks Assessment

Example 3 -- Impact, Likelihood, & Degreeof Management Control

Example 3 -- Voting Rationale for RisksAssessed as High/Critical


► Risk Validation► Validate a pre-existing list► Brainstorm additional risks that may be missing from the pre-existing list

► Identify the top risks (Top X)► Assess top risks as controlled or uncontrolled (Yes/No)

Example 4 -- Risk Validation

Example 4 -- Top Risks Assessment

Example 4 -- Controlled Risks Assessment(Identify top uncontrolled risks)


► Prioritize top risks by area/sector/department/etc. (onearea/sector/department/etc. at a time)► Leverage commenting feature to capture reasoning to for all selected top

risks

► Prioritize aggregate list of all “Top Risks by Area” to identify theoverall (spanning all areas/sectors/departments/etc.) top risks

► Assess the top risks on Impact and Likelihood► Identify “Top Fraud Risks”► Assess the “Top Fraud Risks” on Impact and Likelihood

Example 5 -- Top Three Risks byArea/Sector (Strategic)

Example 5 -- Top Three Risks byArea/Sector (Clarify using assessment comments functionality)

Example 5 -- Top X Risks from AllAreas/Sectors

Example 5 -- Impact & LikelihoodAssessment of Top Risks

Example 5 -- Top X Fraud Risks

Example 5 -- Impact & LikelihoodAssessment of Top Fraud Risks

Glossary of Key Risk Terms

Internal Audit Risk AssessmentThinkApp Session – Definitions,Terms & Scales


► Risk: A risk is any event or circumstance that could affect the achievement of business objectives.Risk is defined in terms of the likelihood of occurrence, and impact in the event that it occurs.

► Contributing Factors / Risk Drivers: Contributing factors are the causal drivers of risk that affecteither the likelihood of occurrence or the severity of business impact of the event or circumstance.Contributing factors are typically considered as being related to either: People, Process, Technologyor External Factors.

► Impact: Significance of the effect on both long-term and short-term objectives, such as financialresults, customer service, regulatory compliance, competitiveness, safety, reputation, environmental,etc. The consideration of expected impact includes both quantitative and qualitative effects tomeasure the severity of the risk event with annualized revenue as the common financialdenominator.

► Likelihood: The probability of a risk occurring over time, estimated relative to the assessed level ofimpact. Attention is paid to past occurrences and those of similar industry peer organizations. Theconsideration of probability of occurrence takes into consideration both the likelihood of a singleevent with a significant impact or multiple events of the same risk that would aggregate to asignificant impact.

► Management Preparedness: The overall effectiveness of mitigation activities and controls currentlyin place to manage risks. The assessment of the management preparedness level is based onjudgment by the participants.


► Emerging Risk: A condition, situation or trend that could significantly impact theenterprise’s financial strength, competitive position or reputation within the next 5 years.

► Inherent Risk: The exposure of a risk that is intrinsic to the business in the currentenvironment before the consideration of risk management and control activities thathave been designed and implemented to specifically manage a given risk.

► Residual Risk: the exposure to a risk remaining after considering the effect of theexisting risk management and control activities i.e. inherent risk offset by the aggregateimpact of risk management activities and controls equates to residual risk.

► Key Performance Indicators: Business metrics used to evaluate factors that arecrucial to the success of the enterprise organization.

► Key Risk Indicators: Metrics used by organizations to provide an early signal ofincreasing risk exposures in various areas of the enterprise. In some instances, theymay represent key ratios that management throughout the organization track asindicators of evolving risks, and potential opportunities, which signal the need foractions that need to be taken. Others may be more elaborate and involve theaggregation of several individual risk indicators into a multi-dimensional score aboutemerging events that may lead to new risks or opportunities.

Defining a Risk Response Strategy3 - QuadrantThe goal of the enterprise risk assessment is to capture not only the significant riskexposures, but also the perceived level of management and control activity. Theseparameters, when combined allow management to determine an appropriate response forthe significant risks and guides ongoing oversight and monitoring. During the workshop wewill validate the enterprise risks are captured to the appropriate action quadrant.

ImproveHigh risk exposures with low levels of controlform the priorities for improvementopportunities.

Managed/TestHigh risk exposures with strong controls andmanagement efforts form the focus for audit toprovide assurance that controls are adequateand efficient.

MonitorRisks that will be managed at the businesslevel that require oversight of CompanyExecutive Management.

High 5.0

Managed /Test

Improve

Ris

kex

posu

re(im

pact

+lik

elih

ood)

/2 4.0

3.0

2.0

Low 1.01.0 2.0 3.0 4.0 5.0High Management preparedness Low

Monitor

High 5.0

Ris

kex

posu

re(im

pact

+lik

elih

ood)

/2 4.0

3.0

2.0

Low 1.01.0 2.0 3.0 4.0 5.0High Management preparedness Low

Defining a Risk Response Strategy4 - QuadrantThe goal of the enterprise risk assessment is to capture not only the significant riskexposures, but also the perceived level of management and control activity. Theseparameters, when combined allow management to determine an appropriate response forthe significant risks and guides ongoing oversight and monitoring. During the workshop wewill validate the enterprise risks are captured to the appropriate action quadrant.

ImproveHigh risk exposures with opportunities for mitigationimprovements.

Managed/TestHigh risk exposures with adequate controls andmanagement efforts. Form the audit plan.

MonitorRisks that will be monitored to ensure if theexposure increases, appropriate actions are taken.

OptimizeLow risk exposures with a moderate level of controlmay be consciously accepted or may be a focus tore-allocate resources.

Optimize Monitor

Managed / Test Improve

Tier 1 Enterprise Risk Definitions

Key Risks Risk Description

Data Security / Cyber Attack

Data breaches (involving electronic or physical data) of critical confidential data (e.g.,financial information, strategic plans, intellectual property, customer lists/pricing) frominternal (employees) and external sources (hackers) may result in reputational damage,loss of business, or negatively impact earnings

Staffing of Key Roles /Succession Planning

Failure to fill key leadership roles with the right skills and experience as well as aninsufficient number of candidates to backup key management positions may result inloss of corporate knowledge and adversely impact business’s ability to operateeffectively in the event that employee leaves

Acquisition & Integration

With continued execution of global strategic roadmaps for focused growth spaces,consolidated markets and increased competition/pricing for acquisition targets, failureto successfully complete acquisitions, sufficiently integrate and achieve projected ROIon acquisitions may prevent operating companies from expanding into amarket/globally, protecting market share, and growing in adjacent products or markets

Innovation

Failure to sustain proactive focus and application of resources on a global basis toidentify, react and adapt to rapid business model and technological changes due toincreased global competitive pressures, may result in the inability to compete orexecute growth strategies

Risk Details

Risk Drivers

• Increasing threat landscape as cyber attacks become more common• Insufficient security measures around IT infrastructure• Insufficient number of skilled specialized resources• Lack of attack detection capabilities as well as response plans• Decentralized IT infrastructure increases management difficulty• Ability to identify and inventory the organization’s most valuable assets in efforts to protect

(restricting access to IP to appropriate individuals)

Impacts • Reputational, Financial, Operational, Legal, Regulatory

MitigationActivities

• Creation of a common data security policy• Increased experience performing Data Security assessments• Increased data security training• Centralized management of IT infrastructure• Implementation of new procedures and technologies to prevent accidental data loss• Shifting to centralized policies and procedures

Data Security / Cyber AttackRisk Definition: Data breaches (involving electronic or physical data) of critical confidential data (e.g., financialinformation, strategic plans, intellectual property, customer lists/pricing) from internal (employees) and external sources(hackers) may result in reputational damage, loss of business, or negatively impact earnings

Scale Definitions

Assessment of Impact

Rating Financial Operations Compliance Strategic

5Significant

• Profitability: >25%EBIT/EPS

• Value: >25% Loss ofmarket value

• Disclosure: Fiscal yearrestatement

• Scope: Enterprise wide; inability to continuenormal business operations across allbusiness units

• Regulatory / Legal:Management indictmentslarge-scale class actionsRegulatory sanctions

• Strategy: Potential acquisition or bankruptcy• Reputation: Loss of confidence of all stakeholder groups (e.g.,clients, business partners, personnel)

• Market Share: Potentially irrecoverable (i.e., 24-36 months)

4High



• Disclosure: Fiscalquarter restatement

• Scope: 3 business units; significantinterruptions to business operations within 3or more business units

• Regulatory / Legal:Management challengedlarge legal liabilitiesRegulatory fines

• Strategy: 2 or more changes in senior leadership, financialrestructuring, significant changes to strategic plan

• Reputation: Loss of confidence by 3 or more stakeholder groups• Market Share: Long-term recovery (i.e.,12-24 months)

3Moderate



• Disclosure: Significantdeficiency

• Scope: 2 business units; moderateinterruptions within 2 or more business units

• Regulatory / Legal:Management reviewed legalreserve establishedRegulatory investigation

• Strategy: 1 or more changes in senior leadership, significantchanges to operating plans and execution

• Reputation: Loss of confidence by 2 or more stakeholder groups• Market Share: Mid-term recovery (i.e., 6-12 months)

2Low



• Disclosure: Controlweakness

• Scope: 1 Business unit; interruptionsrestricted to 1 business unit

• Regulatory / Legal:Management indictmentslarge-scale class actionsRegulatory sanctions

• Strategy: Refinements or adjustments to operating plans andexecution

• Reputation: Loss of confidence limited to 1 stakeholder group• Market Share: Short-term recovery (i.e., less than 6 months)

1Limited



• Disclosure: Additionalrisk disclosure

• Scope: Limited interruptions within 1business unit

• Regulatory / Legal: Limitedliabilities or Regulatoryimpact

• Strategy: Limited adjustment necessary• Reputation: Limited impact to 1 stakeholder group• Market Share: Limited recovery (i.e., less than 3 months)

The following impact assessment criteria are for illustration only. Criteria must be defined by client management andcustomized to suit the nature of each engagement.

Assessment of Likelihood

Score/Rating Probability of Occurring Frequency

5Expected

> 90% Yearly

4Highly likely

≤ 90% Every 1-2 years

3Likely


2Not likely


1Rare

≤ 10% Every 10 years and beyond

The probability of a risk occurring over a predefined time period. In most instances this is set at one year but can beadjusted to be aligned with the company’s planning horizon. In some cases, frequency of occurrence may beconsidered as well.

Assessment of Management PreparednessThe following management and control activity assessment criteria are for illustration only. Criteria must be defined byclient management and customized to suit the nature of each engagement.

A score may be used to help determine residual risk (if a similar score based approach is used to calculate likelihood and impact). The residual risk formula is asfollows:

Residual Risk = ((Impact x Likelihood) x (1-(Management and Control Level/5)) + (0.2 x (Impact x Likelihood)))

Management can then define the level of risk it attaches to the residual risk score.

Score ManagementPreparedness Description

5 Requires CriticalImprovement

Controls and/or Management Activities are non-existent or have major deficienciesand don’t operate as intended

4Requires

SignificantImprovement

Limited controls and/or Management Activities in place, high level of risk remains

3RequiresModerate

Improvement

Key controls and/or Management Activities in place, with moderate opportunitiesfor improvement identified

2 Requires LimitedImprovement

Controls and/or Management Activities properly designed and operating,with opportunities for improvement identified

1 Requires NoImprovement

Controls and/or Management Activities properly designed and operatingas intended

Assessment of VelocityVelocity is a function of Speed and Direction, primarily how fast a particular risk is approaching in terms of months andyears and whether it is approaching the industry, or is very specific to us.

Score/Rating Probability

5Very Fast

Within 1 - 6 months

4Fast

Between 6 - 12 months

3Moderate

Between 1 - 2 years

2Slow

Between 2 - 3 years

1Very Slow

> 3 years

risk assessments re-imagined - chapters site county/iia oc...internal audit – it annual risk...

Documents