ACUIA Region 6 IA & ERM Risk Assessment...©2016 Crowe Horwath LLP 9 Step One: Understanding Your...

©2016 Crowe Horwath LLP

ACUIA Region 6

IA & ERM Risk Assessment

September 21, 2016

©2016 Crowe Horwath LLP 2 2

Agenda

Transitioning to Risk Based Auditing

Internal Audit Risk Assessment

Internal Audit’s Role in Enterprise Risk Management

COSO ERM Framework

Transitioning to Enterprise Risk Management


Transitioning to Risk

Based Auditing


Traditional Internal Auditor

Position established in response to regulatory oversight

“Available” employee

Internal training

Operationally focused

NOT ANYMORE!


Traditional Internal Audit vs. Risk-Based Internal Audit

Traditional

•“Canned” audit programs

•Detail (picky) testing

•Operational auditing

•Boring, easy work

•Only point out problems

Risk Based

•Tailored audit programs customized to

institution

•High-level, risk-based testing

•Business risk auditing

•Partner with institution management

•“Best Practices”, efficiency, value

added services


Traditional

•Reactive

•After the fact

•Discontinuous

•Observers of strategic planning

initiatives

Risk Based

•Coactive

•Real-time

•Continuous monitoring

•Participants in strategic planning

Traditional Internal Audit vs. Risk-Based Internal Audit


Traditional vs. Risk Based Internal Audit Paradigms

Traditional

• Important controls

•Emphasis on completeness of detail control testing

•Recommendations on internal control

•Strengthened

•Cost Benefit

•Efficient/Effective

•Addressing functional controls

• Independent appraisal function

Risk Based

• Important risks

•Emphasis on significance of broad business risks covered

•Recommendations on risk management

•Avoid/diversify risk

•Share/transfer risk

•Control/accept risk

•Addressing process risks

• Integrated risk management and corporate governance


Seven Step Process to Risk Based Auditing


Step One: Understanding Your Credit Union

Strategic analysis (strategic plans, minutes, marketing

materials, web site, etc.)

Financial analysis (financial statements, call reports,

peer group comparisons, management reports, etc.)

Regulatory analysis (regulatory reports, recent developments, etc.)

Management and Supervisory Committee inquiry (prior issues, staff turnover,

future plans, current concerns, legal issues, etc.)



Step Two: Preliminary Risk Assessment Process

From Step 1, work with management to assess risk in key areas

Factors considered for each area include

- Business Profile - Business Changes

- Business Management - Specific Risks/Concerns

Considers various types of risks inherent in financial institutions: Credit, Interest Rate, Market, Strategic, Operational, Reputational, Liquidity and Legal

Considers perceived direction of risk (increasing, stable, decreasing)



Step Three: Develop A Three Year Internal Audit Plan

Follows a risked based approach of “High” risk areas audited annually, “Moderate”

risk areas audited every two years, and “Low” risk areas audited every three years

Includes three-year rotational audit schedule and detailed audit schedule for the

upcoming year

Satisfies regulatory requirements

Continually updated with management and Supervisory Committee input (e.g.

“living document”)



Step Four: Secondary Risk Assessment Process

Assesses risks within each key area or line of business to focus detail testing on highest risk areas within the area Addresses risk control objectives and essential internal control points for each activity or process Assesses risk in relation to how well the Credit Union’s policies and procedures meet the control objectives Defines the internal audit program steps to be completed in relation to the assessed level of risk



Step Five: Execution of the Internal Audit Program

Linked directly to risk assessments and tailored to specific Credit Union issues Insure that experienced internal auditors perform more complex audits Scope is adjusted continually based upon actual findings during fieldwork As a best practice, conducted using automated work papers and audit tools



Step Six: Conduct Exit Meetings

Conducted at the end of fieldwork for each segment Active participation and interaction with key management and department leaders Review of coverage and findings Timely reporting of issues and clarification of facts Recommendations/best practices customized to your Credit Union’s unique situation On-going performance improvement feedback



Step Seven: Reporting and Communication Report structure Findings by level of priority – high, moderate and low Management responses – responsible party and due date

Follow-up process and reporting High priority findings from internal audits Significant regulatory findings

Continual communication with the Supervisory Committee and Management Scheduled meetings including executive sessions Status reports, hot topics, etc.



Risk Based Approach

• All significant “lines of business” deserve some audit attention

• Riskier areas deserve more attention

• More frequent review

• More detailed audit procedures

• More time and resources

• Specialty resources


Internal Audit Risk

Assessment


Risk Assessment and Audit Plan Process

The Risk Assessment and Audit Plan includes the following sections:

I. Internal Audit Approach

II. Risk Assessment Matrix

III. Business Process Risk Assessments

IV. Internal Audit Coverage Matrix

V. Internal Audit Plan

VI. Qualifications of Internal Audit Department


•The Internal Audit Approach includes Establishing Scope, Planning and

Fieldwork & Reporting.

•The Risk Assessment Process includes the risk categories:

Financial Risk

Credit Risk

Market Risk

Interest Rate Risk

Liquidity Risk

Business Risk

Strategic Risk

Reputational Risk

Legal/Compliance Risk

Operational Risk

Aggregate Inherent Risk

Internal Controls Assessment

Residual Risk

Risk Direction

Internal Audit Approach


Risk Assessment Matrix

Business Area Financial

Risk Business

Risk Operational

Risk Aggregate

Risk

Internal Controls

Residual Risk

Risk Direction

LENDING

Mortgage Loans

Consumer Loans

Indirect Loans

MEMBER BUSINESS SERVICES

Member Business Lending

Member Business Deposits (Commercial)


Business Process Risk Assessments

Lending Business Area

Financial Risk

Business Risk

Operational Risk

Aggregate Risk

Internal Controls

Residual Risk

Risk Direction

Mortgage Loans

Consumer Loans

Indirect Loans

Overview of Business Area Lending authority is granted and established by the Credit Union’s Board of Directors through its approved Loan Policy. XX…….


Internal Audit Coverage Matrix

Business Area

Residual Risk from

Risk Assessment

Matrix

Audit Frequency (1, 2, or 3

year rotation)

For the Years Ending December 31,

2016 2017 2018

Lending

Mortgage Loans 1 X X X

Consumer Loans 2 X X

Indirect Loans 2 X

Member Business Services

Member Business Lending 2 X

Member Business Deposits (Commercial) 2 X


Internal Audit Plan

Business Area Audit Dates

LENDING

Mortgage Loans July 18, 2016

Consumer Loans May 9, 2016

MARKETING

Marketing February 3, 2016

ACCOUNTING & FINANCIAL REPORTING

Wire Transfer October 10, 2016

Financial and Regulatory Reporting June 30, 2016

General Accounting October 10, 2016


Qualifications of Internal Audit Department

Mike Thomas Director of Audit Professional Experience Over thirty years of broad-based experience, specializing in the financial services industry, including over ten years with Credit Union. Prior to joining Credit Union, Mike was a Partner with Crowe Horwath and served as Vice President & Audit Group Manager for SunTrust Banks, Inc.

Areas of Expertise Consumer Lending/Leasing Commercial Lending/Leasing Loan Operations Retail Branch Operations Electronic Funds Transfer Risk Management

Financial Reporting Due Diligence/Acquisitions Deposit Operations Trust Fraud Prevention/Detection


Internal Audit’s Role in

Enterprise Risk

Management


Internal Audit’s Role in ERM IIA Statement of Position: The Role of Internal Audit in Enterprise-

wide Risk Management


COSO ERM Framework


Focus of Discussion

Monitoring

Information and Communication

Control Activities

Risk Response

Risk Assessment

Event Identification

Objective Setting

Internal Environment



•How does the company’s culture

affect its approach to managing the

business?

• Integrity and ethical values

•Commitment to competence

•Organizational structure

•Authority and responsibility

•Human resource standards

•What are the board’s and/or

management’s risk taking

philosophy and risk appetite?



Objective Setting

•What are the key business objectives for

the company/ division/business unit/

subsidiary?

•How do the division/business

unit/subsidiary objectives align with the

company objectives?

•What is the risk appetite relative to these

objectives?

•What is the range of acceptable variability

(i.e., risk tolerance) relative to these

objectives?

Objective Setting


Key Definitions

•Risk Management Philosophy - “… set of shared beliefs and attitudes

characterizing how the organization considers risk in everything it does,

from strategy development and implementation to its day-to-day

activities.”

•Risk Appetite - “… the amount of risk, on a broad level, an organization

is willing to accept in pursuit of value … a guidepost in strategy setting.”

•Risk Tolerance - “… acceptable levels of variation relative to the

achievement of objectives … aligns with risk appetite.”


Event Identification •What types of events may prevent us

from achieving our objectives (think risk

scenarios)?

•What else can go wrong?

•Are there similarities and/or

interdependencies between these

events?

•How should we summarize and define

these events (i.e., create a risk universe)?

Event Identification


Risk Assessment

• What are the various outcomes/range of

possible risk impacts?

• What is the likelihood of each impact

occurring?

• What’s our tolerance relative to that risk

occurrence?

• What are the interrelationships between

the various risks?

• How will we be able to measure the various

risk occurrences?

Risk Assessment


Key Definitions

•Inherent Risk - “… risk to an organization in the absence of any actions

management might take to alter either the risk’s likelihood or impact.”

•Risk assessment is applied first to inherent risks.

•Residual Risk - “… risk that remains after management’s response to

the risk.”

•Once risk responses have been developed, management then

considers residual risk.

•Tolerable Risk - Acceptable variability around expected business risk

outcomes (i.e., how much residual risk a company can live with).


Risk Response • How can we best deal with the key risks?

• Avoid

• Reduce

• Share

• Accept

• Are there ways to aggregate risk responses

(i.e., deal with them on a portfolio basis)?

• Are there ways to exploit certain risks to create

a competitive advantage (i.e., risk

opportunities)?

Risk Response


Control Activities

• How are we going to execute the various

risk strategies/ risk responses?

• Do we have the capabilities to execute those

strategies/ risk responses consistently?

• People

• Processes

• Technology

• Are those capabilities mature enough to

achieve our business objectives?

Control Activities



• How do we identify risk occurrences in a timely

manner?

• Have we established appropriate risk indicators so

we can anticipate risk occurrences?

• How do we ensure risk owners get the necessary

information (internal and external) to manage their

risks effectively?

• How is risk information communicated up and

down the organization (including the board)?



Monitoring

•How do we ensure that our ERM program

is operating effectively?

•How do we continuously improve our ERM

program?

•What is the ongoing role of internal audit

in ERM?

•How do we ensure that ERM becomes the

mindset of every employee?

Monitoring


Summary

•The COSO ERM Framework encompasses much more than the Internal

Control Framework.

•To understand the bigger, broader COSO ERM Framework, one only

needs to ask a few simple questions about each of the components.

•However, the journey to fully implementing ERM is a long one; be

prepared.


Transitioning to

Enterprise Risk

Management


A Practical Approach

•ERM is a worthy goal for all businesses, regardless of size

•Risk-management activities need to be tied to strategy and ultimately built into

everyday business processes

•The following five-step project plan enables organizations to identify and

coordinate activities they already have begun, identify risks that are not

adequately managed, and close gaps and move forward:

Organizing your team

Establishing a framework

Assessing risks

Inventorying current risk-response activities

Closing the gaps


Leveraging existing knowledge and programs will go a long way to help reduce the effort in getting started.

• Who

• Internal Audit

• The Compliance Officer

• IT Security and Privacy or the Insurance Group

• Chief Risk Officer

• Safety

• What

• Internal Audit Risk Assessment

• Anti-Fraud Risk Assessment

• Enterprise-Wide Compliance Risk Assessment

• Insurance Risk Assessment

• GLBA/IT Risk Assessment

A Practical Approach


Step 1: Organize the Effort

Assemble:

•Steering Committee

•Project Team

•Project Charter


Step 2: Establish a Framework Around Risk

An ERM framework provides the context to develop specific ERM processes. For

example, the framework may contain these five components:

• Analyze risks

• Develop risk strategies

• Implement risk strategies

• Audit risk strategies

• Communicate results

Communication Develop

Strategy

Implement

Audit

Analyze

ERM


Risk Assessment ProcessSM

During the "Analyze" phase

of ERM, risks are identified,

sourced to a process or area

(where the risks reside) and

measured (based on impact

and likelihood of risk).

Analyze Risks

2. Source

3. Measure

1. Identify

CommunicationDevelop

Strategy

Implement

Audit

Analyze

The "Analyze" Element of ERM

Discussions

With

Management

Customize

Risk

Assessment Approach

Perform

Risk

Assessment

Communicate

& Provide

Materials to Participants

Analyze

Results

Develop

Output

Discussions

With

Management

Customize

Risk

Assessment Approach

Perform

Risk

Assessment

Communicate

& Provide

Materials to Participants

Analyze

Results

Develop

Output


Step 3: Risk Assessment – The Top 10 – 15 Risks

•Identify key risks

•Identify where they reside

•Significance

•Where to draw the line


Likelihood Risk Ranking Table Description

Level Descriptor Likelihood of Occurrence

1 Rare Very Low

2 Unlikely Low

3 Possible Moderate

4 Likely High

5 Almost Certain Very High


Impact Risk Ranking Table Description

Level Descriptor Impact of Occurrence

1 Insignificant • Minimal loss of revenue

• No regulatory or reporting impact

2 Minor • 1-2 reportable incidents which may impact processing requirements

3 Moderate • Several incidents which may impact processing or reporting requirements

4 Major • Major reportable events to shareholders, or regulators

5 Catastrophic • Multiple major reportable events to shareholders or regulators

©2016 Crowe Horwath LLP

Impact +Likelihood = Aggregate Risk

5. Catastrophic 5 6 7 8 9

4. Major 4 5 6 7 8

3. Moderate 3 4 5 6 7

2. Minor 2 3 4 5 6

1. Insignificant 1 2 3 4 5

1. Rare 2. Unlikely 3. Possible 4. Likely 5. Almost Certain

I M P A C T

LIKELIHOOD 3 Green = 12% 24% 3 Gold = 12% ___________________________ 9 Yellow = 36% 4 Purple = 16% 52% ___________________________ 6 Red = 24% 24%


A risk profile summarizes key risks and allows organizations to focus risk management efforts.

Managing these risks will reduce the likelihood and significance over time, thus improving the organization's overall risk profile.

What is Your Organization's Risk Profile?

Which risks belong in the top-right quadrant?

Risk Profiles Result from Risk Assessment

High

High

I

mp

act

Likelihood

Low

Low

Reduce Likelihood

1. _______

2. _______

3. _______

4. _______

5. _______

etc...


Step 4: Inventory Current Risk - Response Activities

•How do you think about risk?

•When someone says "risk," what do you think?

•Which risks are you responsible for responding to?

•How do you coordinate your risk mitigation or compliance activities

with others in the organization?


Step 5: Identify Gaps and Prioritize

•Recommendations

•Guiding the organization to improve ongoing risk management

processes

•Decisions on how to best manage risks and where it should be

managed


Crowe Horwath’s ERM Risk Model for Financial Institutions

External

Operational

Legal

Strategic • Corporate Governance

• Leadership

• Alignment

• Planning

• Communication

Market • Valuation (on and off BS)

• Foreign Exchange

Interest Rate Risk • Re-Pricing

• Yield Curve

• Basis

• Options

Reputation • Fraud

• Ethics

• Privacy

Credit • Domestic

• Foreign

Liquidity

Legal • Compliance

• Litigation

• Contractual/Obligations

• Fiduciary

Operational • Accounting

• Technology

• Customer Loyalty/Retention

• Performance Measurement

• Budgeting and Planning

• Financial Reporting

• Product Development and Pricing

• Human Resources

• Third-Party Relationships

• Business Interruption

• Policy/Procedure Compliance

External • Regulatory/Legal

• Investor Relations

• Competitor

• Financial Markets

• Catastrophic Loss

• Sovereign/Political


1 2 3 4 5 6

Preparation

Building

EWR

Framework Pilot Audits

Transform

Existing IA

Resources

Continuous

Change

Management

7

Internal

Audit Plan

Execution

Risk

Assessment

and Internal

Audit Plan Preparation

Building

ERM

Framework Pilot

Transform

Existing

Resources

Continuous

Change

Management

Execution

Risk

Assessment

and

Planning

A Collaborative Effort to Take Risk Management to the Next Level

Transformation to Enterprise Risk Management


1 2 3 4 5 6

Preparation

Building

ERM

Framework Pilot

Transform

Existing

Resources

Continuous

Change

Management

7

Execution

• Educate and get buy-in

• Review existing RM processes

• Understand stakeholders' expectations

• Understand the uniqueness of your business

Risk

Assessment

and

Planning




1 2 3 4 5 6

Preparation

Building

ERM

Framework Pilot

Transform

Existing

Resources

Continuous

Change

Management

7

Execution Risk

Assessment

and

Planning

• Establish formal risk management process • Based on COSO Framework

• Built on key risk categories customized to meet the needs of the organization

• Based on an understanding of business and stakeholders' needs

• Develop a common risk language

• Define end state for stronger risk management processes corporate-wide

• Identify gaps

• Develop strategies for closing gaps




1 2 3 4 5 6

Preparation

Building

ERM

Framework Pilot

Transform

Existing

Resources

Continuous

Change

Management

7

Execution

• Perform training on ERM methodology

• Assess resource/expertise needs

• Perform training on manual/electronic tools

• Team building activities

Risk

Assessment

and

Planning




1 2 3 4 5 6

Preparation

Building

ERM

Framework Pilot

Transform

Existing

Resources

Continuous

Change

Management

7

Execution

• Roll out to one line of business

• Get direct assistance and coaching from ERM champion

• Assess results

• Make needed modifications

Risk

Assessment

and

Planning




1 2 3 4 5 6

Preparation

Building

ERM

Framework Pilot

Transform

Existing

Resources

Risk

Assessment

and

Planning

Continuous

Change

Management

7

Execution

• Conduct risk assessment

• Interviews

• Surveys

• Facilitated sessions

• Assessment will be used for ERM and to develop risk management plan

• Evaluate results




1 2 3 4 5 6

Preparation

Building

ERM

Framework Pilot

Transform

Existing

Resources

Continuous

Change

Management

7

Execution

• Obtain feedback on pilot and risk assessment from risk owners and management

• Adjust approach as needed

• Reassess training needs

• Adjust ERM frameworks and approaches as needed

• Establish ongoing evaluation process

Risk

Assessment

and

Planning




1 2 3 4 5 6

Preparation

Building

ERM

Framework Pilot

Transform

Existing

Resources

Continuous

Change

Management

7

Execution

Risk

Assessment

and

Planning

• Structured approach incorporates the following elements:

• Link to strategy

• Portfolio view of risks

• Continual monitoring and assessment

• Risk mitigation consistent with organizational risk appetite

• High level of organizational buy-in




Characteristics of an Effective ERM Process

• Infrastructure to support ERM process, including: • Policy

• Common risk language (customized risk model)

• Defined roles and responsibilities

• Tools to facilitate monitoring, updating, and reporting

•Framework to organize ERM activities

•Linkage to other management activities, e.g., strategic planning


ERM: Keys to Success

•Clearly articulated risk management goals that provide a foundation for ERM and

for related training and communication

•Common risk language to enable individuals throughout the organization to

conduct meaningful cross-functional discussions about risk

• Individuals clearly understand their roles in the assessment and risk management

framework


ERM - Risk Owners

Business Process Senior Executive

1 Accounting XXXX

2 Funds Management (includes ALM, Cash Mgt., Securities, Borrowings & Repurchase Agreements) XXXX

3 Bank Secrecy Act XXXX

4 Branch Operations XXXX

5 Lending (Credit Administration and Loan Operations) XXXX

6 Special Assets/ALLL/Collections/Recovery XXXX

7 Deposit Operations (includes Automated Clearing House, Remote Deposit Capture and Wire Transfer) XXXX

8 Entity Level/Corporate Governance XXXX

9 Human Resources and Payroll XXXX

10 Information Technology XXXX

11 Regulatory Compliance XXXX


Risk Inventory

XYX Bank

Risk Assessment Summary

Working Draft

Date:

Line of Business:

Risk Owner:

Objectives - Document three to five key operational, reporting and/or compliance objectives of the line of business. (1)*

O1.

O2.

O3.

O4.

O5.

Document the 1-3 most significant risks/risk events that could impact the line of business' ability to achieve each stated objective (2)*:

Likelihood (6) Impact (7)

Aggregate

(8)

Effectiveness

of Risk

Response

(10)

Residual

Risk (11)

Direction

(12)

Moderate High High Effective M S

Low High Moderate Effective L S

Moderate Moderate Moderate Effective M I


Moderate High High Effective M I

Moderate High Moderate Effective M S

Low High Moderate Effective L I


Moderate High High Effective M I

Overall Risk Assessment (16):

Risk Category Credit Market Liquidity Operational Legal Reputational

Inherent risk M M H H M M

Residual risk M L M/H M L M

Direction of Risk I I S I S I

Overall Risk Assessment Rationale (17) :

Discuss Mechanisms to Monitor Key Risk and Risk Responses (18):

KRI's

Int rate risk -

Turnover rate -

Compensation -

Building internal employee relations-

Competition in market -

Bank relationships-

Systemic mortg fraud -

Downturn of econ conditions -

Info tech security breach -

HMDA data error reports -

Discuss Information Considered (19):

From the most recent regulatory examination report, the OCC has not reported any isses regarding the mortg co.

Internal Documents and reports: Management subscribes to Mortgage Bankers Association and receives weekly survey and forecast information, etc.

* - Indicates this is a required

field. Other fields may be

completed if possible.

Legal -

Reputational -

Risk/Event Description (4)*

(5) Document the specific category(s) of risk using the risk categories defined by the Federal Reserve. The categories are Credit, Market, Liquidity, Operational, Legal, and Reputational.

Industry periodicals. External and internal QC loan review reports.

Industry and econimic data provided by MBA and various economists.

Govt statistics and daily volume and production against the plan and information provided from the market.

No reports or KRIs. Intuitive.

Formal salary survey was performed 2 yrs ago. Accordingly, mgmt made comp adjs 2 yrs ago. Employees freely discuss market comps with management.

Market -

Liquidity -

Operational -

Management conducts an open forum meeting with staff to solicit feedback.Pricing survey periodically. Compare rates with competition. Also, call competitors. Brokers will also tell mortg co re: pricing and svc. Daily, Second mkt determines pricing

wholesale pricing.

Analyze referrals from Bank. Have meetings with Bank personnel, sales people.

(4) Describe the nature of the risk or event that may impact the achievement of the objective(s)

Refer to

Audit

(15)

Risk Response (9)

(14) Document whether the risk response is auditable

(2) Document the 1-3 most significant risks/risk events that could impact the line of business' ability to achieve each stated objective.

(10) Assess the effectiveness of the risk response in reducing the risk to a level that is within the organization's risk tolerance

(18) For each one of the significant risks identified above, document the mechanisms used by management to monitor risk on a periodic and on-going basis. Also document any other mechanisms used to monitor risk.

(19) Document any significant internal or external data reviewed as part of the risk assessment process.

Residual Risk Assessment

(15) If the risk response is auditable, assess whether it should be referred to IA for inclusion as part of the annual audit process

(7) Assess the impact on the organization/line of business should the risk/event occur using the scale on the attached schedule

(17) Document the rationale for each assessment including a discussion of the significant risk factors contributing to the assessment.

(16) For all risk areas identified by the Federal Reserve, assess the overall inherent, residual and direction of risk facing the line of business

(9) Describe the risk response(s) taken to address the identified risk/event. Risk responses may be controls in place or other actions taken to avoid, share or reduce the risk.

(11) Assess the residual risk - residual risk is defined as the remaining risk after management has taken action to alter the risk’s likelihood or impact.

(12) Assess the direction of risk as either (I)ncreasing, (S)table or (D)ecreasing

(13) Document whether the specific risk is subject to testing as part of the SOX 404 process

(1) Document three to five key operational, reporting and/or compliance objectives of the line of business.

(6) Assess the likelihood that the risk/event will occur using the scale on the attached schedule

(8) Giving consideration to both likelihood and impact assess the aggregate inherent risk using the scale on the attached schedule - inherent risk is defined as the risk to an organization in the absence of any actions management might take to alter the risk’s likelihood

or impact.

(3) Document the specific objective or objectives to which the individual risk relates

Credit-

An invalid login attempt report is reviewed monthly. Also, system diagnostic software creates exception reports that are reviewed daily.

Mortgage Company creates a file for HMDA reptg. Any exceptions identified by the software are researched and corrected. Also, management reviews external and internal QC

loan review reports and internal audit reports.

Auditable

(14)Objective # (3)*

Inherent Risk Assessment

Risk Category (5)


Risk Inventory (cont.)

(1) Document three to five key operational, reporting and/or compliance

objectives of the line of business.

(2) Document the 1-3 most significant risks/risk events that could impact the line

of business' ability to achieve each stated objective.

(3) Document the specific objective or objectives to which the individual risk

relates

(4) Describe the nature of the risk or event that may impact the achievement of

the objective(s)

(5) Document the specific category(s) of risk using the defined risk categories.

(6) Assess the likelihood that the risk/event will occur


(7) Assess the impact on the organization/line of business should the risk/event occur using the scale on the attached schedule.

(8) Giving consideration to both likelihood and impact assess the aggregate inherent risk using the scale on the attached schedule - inherent risk is defined as the risk to an organization in the absence of any actions management might take to alter the risk’s likelihood or impact.

(9) Describe the risk response(s) taken to address the identified risk/event. Risk responses may be controls in place or other actions taken to avoid, share or reduce the risk.

(10) Assess the effectiveness of the risk response in reducing the risk to a level that is within the organization's risk tolerance.

(11) Assess the residual risk - residual risk is defined as the remaining risk after management has taken action to alter the risk’s likelihood or impact.

(12) Assess the direction of risk as either (I)increasing, (S)table or (D)decreasing

Risk Inventory (cont.)


Questions?

Crowe Horwath LLP Member Crowe Horwath International

E. Michael Thomas, CPA, CIA, CBA, CFE,CRP, CFF,

CRMA 3399 Peachtree Rd NE, Suite 700

Atlanta, GA 30326-2832

404-442-1607 (Atlanta Office)

404-442-1616 (Atlanta Fax)

404-550-3492 (cell)

[email protected]

ACUIA Region 6 IA & ERM Risk Assessment...©2016 Crowe Horwath LLP 9 Step One: Understanding Your...

Documents

Transcript of ACUIA Region 6 IA & ERM Risk Assessment...©2016 Crowe Horwath LLP 9 Step One: Understanding Your...