Internal Auditor

Page 1

Internal Auditor

PRINT

CLOSE

October 2011

Risk and the Butterfly

A new tool enables both internal auditors and management to better identify risk events as part of the organizations risk analysis.

Eric Lavoie, CIA, CCSA, CA Partner, Risk Management and Internal Audit Lemieux Nolet

As more and more organizations implement formal enterprise risk management (ERM) processes, internal auditors face the challenge of evaluating the effectiveness of those processes and contributing to their improvement, as directed by IIA Standard 2120: Risk Management. Consequently, auditors need to rebalance their efforts from traditional risk-based auditing to focusing on managements ERM process specifically, to challenging managements risk analysis. This risk analysis corresponds with the event identification, risk assessment, risk response, and control activity components of The Committee of Sponsoring Organizations of the Treadway Commissions (COSOs) Enterprise Risk ManagementIntegrated Framework. Internal auditors need to master the art of risk analysis to bring value to their organization in its journey toward an effective and sustainable ERM process.

In practice, risk analysis is a paradox. On one end, some managers who are implementing risk management in their sector contend that the process comes naturally and can remain informal. On the other end, risk management becomes more complex and difficult to apply as organizations try to document a useful process. Whatever the belief, many organizations have failed to manage their risks without a formal risk management process, although having such a process in place is no guarantee that the effort will succeed. Adopting a butterfly risk tool can help internal auditors evaluate the effectiveness and contribute to the improvement of managements ERM process.

ANALYZING RISK
Risk analysis is not an exact and objective science. Anyone can perform a risk analysis and generate a list of numerous risk items, according to his or her perceptions and definition of risk. But this list may not be useful and sufficient to demonstrate mastery of risks.

Typical pitfalls involved with event identification include: Incomplete risk (i.e., source only, event only, or consequence only). Irrelevant risk (i.e., not related to objectives or process scope). Too general or generic risk (i.e., not sufficiently adapted to the specific context).

Examples include a broad risk category such as financial risk or a risk area such as supply chain risk, in which the risks still need to be identified. Risk confused with the corresponding objective or asset to protect. Examples include protection of confidential data (objective) versus unauthorized access to confidential data (risk), or reputational risk (risk) versus what

http://www.theiia.org/intAuditor/feature-articles/2011/october/risk-and-the-butterfly/index.cfm?print

01/02/2012 1:07:29

Internal Auditor

Page 2

Risk confused with the corresponding objective or asset to protect. Examples include protection of confidential data (objective) versus unauthorized access to confidential data (risk), or reputational risk (risk) versus what could go wrong and damage reputation (objective). Risk factor considered as a risk. Although a risk factor, such as complexity, is not manageable, it is inherent and needs to be considered when assessing and responding to the risk. A lack of control considered as the risk. Control will be addressed later in the evaluation process. A past incident or an actual problem considered as the risk. Risk, by definition, is focused on future potential events. However, incidents and problems should be considered during risk assessment. Recalling a past incident or a known problem can contribute to identifying the risk that a similar incident could materialize in the future. Risk management is not about solving problems but anticipating and proactively responding to potential problems.

The concept of risk involves unavoidable gray zones. Typical event identification tools may be used, looking at risk from different angles such as through key questions, risk models, risk categories, and assets at risk. The gathered information then needs to be structured and documented to be useful for the remaining steps. This requires nuance and adaptation to the specific context. The substance of risk has to be extracted from the gray zones and clearly revealed under daylight.

Thats where the science of risk management also becomes an art: It requires the ability to see the overall picture and good writing skills to deliver a valuable and credible risk profile. This aspect has to be acknowledged and tackled with a rigorous approach by management (to implement ERM) and internal audit (to assess managements ERM plan) because many risks are hidden in those gray areas. It also requires a holistic approach that considers interdependencies among risks while still considering significant risks distinctly.

A PRACTICAL TOOL
The COSO ERM framework event identification component addresses external and internal factors, risk/event categories, consideration of past events, and risk interdependencies. The Butterfly Risk Tool, below, is intended to clarify, complete, and integrate those related concepts to enrich managements risk analysis and enable internal auditors to perform a robust ERM effectiveness evaluation. Underlying this tool is a broader paradigm that considers and formally documents the risk sources and consequences for each potential event. Applicable at first during event identification, it encompasses and brings value to risk assessment, risk response, and control activities. Auditors using the tool could gain ideas to better assess whether managements event identification is complete and sufficiently detailed to provide value in the remaining phases of the risk management process.

http://www.theiia.org/intAuditor/feature-articles/2011/october/risk-and-the-butterfly/index.cfm?print

01/02/2012 1:07:29

Internal Auditor

Page 3

The image of a butterfly illustrates the paradigms two main dimensions: event identification and control activities. For event identification, the left wing refers to risk sources and the right wing to risk consequences. Risk sources include external and internal sources, risk factors, and risk indicators (e.g., past incidents, red flags, and near misses). Monitoring external and internal environments can enable management and auditors to identify new and emerging risks once typical inherent risks have been identified. Risk consequences consider types of impact and their potential extent and speed of realization. Many types of potential impacts need to be considered, including monetary, physical, informational, and loss of reputation and other intangible assets. Moreover, impact will vary depending on stakeholder scrutiny, powers, expectations, and sensibility.

For risk assessment, likelihood relates to the left side and impact relates to the right side. Risk response options of reducing likelihood and avoiding risk apply on the left wing; options of mitigating impact and transferring/ diversifying risk apply on the right wing. Preventive and monitoring control activities apply on the left; mitigation and corrective controls on the right. Risk interdependencies appear on the left when the consequence of an upstream risk becomes a source of the risk under analysis. On the right, a consequence of the risk could become a source of another downstream risk. Another feature of the tool is the inherent application of a process view and of an extended organization perspective (i.e., consideration of key suppliers and outsourcers) at the junction of external and internal sources.

A prerequisite to applying the butterfly risk tool effectively is a clear and shared definition of its key underlying concepts (see Applying the Butterfly Tool). This example illustrates to what extent a risk should be identified to allow for effective risk management. The concept of risk can be viewed as a set of potential scenarios that could go wrong in a specific external and internal environment. A richer multisource and multiconsequence analysis might encompass more than one risk scenario within a specific risk, therefore requiring those different aspects to be considered in subsequent phases of the analysis. Alternatively, many potential scenarios might be split up into individual risks to be assessed separately. The example also highlights some interdependencies among risks. Moreover, it shows contextualized risk factors and indicators that should be considered during the assessment phase because they generally contribute to increased likelihood.

Internal auditors need to master these concepts and contribute to a common risk language. For example, they should be able to explain the difference between a risk and a risk factor, which are frequently confused in risk literature. They should understand that risk/impact mitigation is only one of many possible risk responses.

http://www.theiia.org/intAuditor/feature-articles/2011/october/risk-and-the-butterfly/index.cfm?print

01/02/2012 1:07:29

Internal Auditor

Page 4

Internal auditors need to master these concepts and contribute to a common risk language. For example, they should be able to explain the difference between a risk and a risk factor, which are frequently confused in risk literature. They should understand that risk/impact mitigation is only one of many possible risk responses.

BENEFITS FOR RISK ANALYSIS

At first, the butterfly risk tool can be useful to management in preparing a complete risk event identification and during subsequent steps in the risk management process. It is not intended to be used by internal auditors to document systematically each risk in a risk profile, which would not be cost-effective; instead, auditors should use it as a mind frame for reviews and assessments of managements risk event identification deliverable.

Risk Assessment The butterfly tool facilitates risk measurement and can ensure the consistency and credibility of risk profiles. Moreover, it can enhance management and stakeholder buy-in of the risk assessment because sources and risk factors/ indicators are considered collectively to assess likelihood, and consequences are considered collectively to assess impact. For example, when assessing the risk of infrastructure becoming unavailable, the extent and speed at which an outage would reach IT systems and workstations should be considered to measure its potential impact.

Risk Response Strategy When residual risk exceeds risk tolerance, the butterfly tool ensures that all significant external and internal sources and consequences are being addressed by a risk response strategy. It helps to determine the appropriate risk response strategy, including options to reduce likelihood and mitigate impacts. The tool also can ensure that risk factors/indicators are considered to establish a relevant and feasible risk response strategy. In addition, it can help management target sectors responsible for action plans addressing both external and internal sources. In the examples depicted in the sidebar, the following sectors would be involved in an integrated risk response strategy:

Infrastructure and systems temporarily unavailable: IT, human resources, finance (purchasing), legal (contract design), and public relations (crisis management). Decreased client satisfaction: top management (strategy), research and development (product development), order management, shipping, and complaint management.

Additionally, the butterfly tool demonstrates that if a risk event cannot be prevented from an external source, available options remain such as mitigating the impact or transferring a portion of the impact outside the organization. In the example of unavailable infrastructure, the mitigation strategy typically would consist of business continuity preparedness and readiness. The organization also could work with external IT outsourcers to reduce the likelihood through risk sharing and contractual incentives.

Finally, management can use the tool to prepare an influence diagram showing upstream risks from the left and downstream risks to the right. Upstream risks such as lack of expertise could be prioritized for risk response and action planning because of their leverage over other risks.

Control Activities With the butterfly tool, control activities can be addressed better globally as a portfolio and by using a process view. The tool facilitates the integration of risk, risk response, and control activities. It also helps management and auditors understand the collective effect of a mix of preventive, monitoring, detective, corrective, and mitigation controls. In the infrastructure availability example, sound risk management of a potential system outage would result in a combination of actions, including implementing access controls, focused training, key IT expertise retention, business continuity,

http://www.theiia.org/intAuditor/feature-articles/2011/october/risk-and-the-butterfly/index.cfm?print

01/02/2012 1:07:29

Internal Auditor

Page 5

of actions, including implementing access controls, focused training, key IT expertise retention, business continuity, and crisis management.

TARGETING AND CONTROLS

Addressing significant sources and consequences to reduce their likelihood and mitigate their impact is a good start but one additional dimension still needs to be considered. Risk management should target any risk area that would deserve greater attention such as a process, business unit, or system. For the risks addressed in Applying the Butterfly Tool, specific employee categories, IT systems, and client categories would be targeted for both risk response strategy and control activity design.

A risk paradigm must be maintained until the end of the risk analysis process. Applying systematic and widespread control activities rarely comes with cost-effective risk management. Controls need to be balanced with corresponding risk assessments. Consequently, higher risk areas would deserve priority for additional or more intensive control activities. Conversely, control activities should be eliminated or reduced in intensity for low risk areas. To address the lack of expertise risk, for example, the organization could identify key employees with high and rare expertise to participate in formal mentoring and knowledge-transfer programs. Preventive controls such as employee contract clauses, career planning, and personal conflict detection and mitigation would be intensified.

A MULTIFACETED APPROACH
Overall, the butterfly tool can help management better assess and prioritize risks as well as determine the most effective risk response and control strategy. Therefore, it can be used to evaluate to what extent the managements risk analysis tools contribute to rich and complete risk profiles.

It also can enable internal auditors to perform a more effective ERM evaluation, recommend improvements, and better challenge and evaluate managements risk and control self-assessments. Moreover, the approach can support auditors when they facilitate risk assessment workshops and when they train management in gaining a common language and understanding of risk and control concepts.

Internal Auditor 247 Maitland Ave, Altamonte Springs Florida, 32701 Tel. 123 www.internalauditoronline.org

http://www.theiia.org/intAuditor/feature-articles/2011/october/risk-and-the-butterfly/index.cfm?print

01/02/2012 1:07:29