Once issues have been validated and recorded, either as a result of an audit or internal review, the associated business risk needs to be assessed. A formal risk should be prepared and documented by the owner of the process where the exposure or problem was found.
The formal risk assessments should at least address the following elements:
Definition of the problem
Quantification of the risk
Development of alternatives
Calculation of the financial impact for each alternative
Selection of the optimum solution
Documentation of the decision
Categorization of the risk
Approval of the decision
Revalidation of the risk assessment and decision
Definition of the problem – The first step in a risk assessment is to state the exposure or problem that was identified
Quantification of the risk – The owner should take into consideration the following when quantifying the risk:
Impact in slowing the business down
Potential or actual dollar loss
Cost of recovery
Time to recover
Possibility of fraud or theft
Probability of occurrence
Probable duration of the exposure
Criticality to the business
Cost of adding control
Cost of alternatives
Development of alternatives - As a result of the assessment, a decision should be made as to a selection of one of the following alternative: either to continue with business as usual, enhance controls that are already in place or introduce new controls to the process.
Calculate financial impact for each alternative – The cost associated for each enhancement or new control to be developed needs to be calculated.
Select optimum solution – The business decision as to which alternative selected should be based on a financial impact. The cost of each alternative should be weighed against the financial impact of the business exposure. As a result, a decision should be made to either to accept the risk and continue with the business as usual, or not accept the risk and either establish new controls or enhance existing controls.
Document decision – The rational for the decision that is chosen should be fully explained within the formal risk assessment.
Categorize the risk – The owner of the risk should categorize the risk as either high, medium or low based on an evaluation of what the exposure could cost the business in tangible and intangible losses.
Approval of the decision – The decision should be approved by at least two levels of process management. Medium risks should be brought to the attention of the Chief Audit Executive and high risks brought to the attention of the Audit Committee.
Revalidation of the risk assessment and decision – It is necessary to evaluate all risk assessments on at least an annual basis with high risks possibly evaluated more frequently. Revalidation is necessary as there might be changes in the environment, organization, company’s position, economic situations, etc., during the interim. These factors could have an impact on the decision that was first made when evaluating the risks; it may no longer be valid, hence the need for revalidation and reassessment.