Upload
nur-fajri-ajie
View
217
Download
0
Embed Size (px)
Citation preview
8/3/2019 Risk and Butterfly
http://slidepdf.com/reader/full/risk-and-butterfly 1/5
Page 1Internal Auditor
01/02/2012 1:07:29http://www.theiia.org/intAuditor/feature-articles/2011/october/risk-and-the-butterfly/index.cfm?print
Internal Auditor P RINT CLOSE
A
October 2011
Risk and the Butterfly
A new tool enables both internal auditors and management to better identify risk events as part of the
organization’s risk analysis.
Eric Lavoie, CIA, CCSA, CA
Partner, Risk Management and Internal Audit
Lemieux Nolet
s more and more organizations implement formal enterprise risk management (ERM) processes, internal auditors
face the challenge of evaluating the effectiveness of those processes and contributing to their improvement, as
directed by IIA Standard 2120: Risk Management. Consequently, auditors need to rebalance their efforts from
traditional risk-based auditing to focusing on management’s ERM process — specifically, to challenging
management’s risk analysis. This risk analysis corresponds with the event identification, risk assessment, risk
response, and control activity components of The Committee of Sponsoring Organizations of the Treadway
Commission’s (COSO’s) Enterprise Risk Management–Integrated Framework. Internal auditors need to master the art
of risk analysis to bring value to their organization in its journey toward an effective and sustainable ERM process.
In practice, risk analysis is a paradox. On one end, some managers who are implementing risk management in their
sector contend that the process comes naturally and can remain informal. On the other end, risk management
becomes more complex and difficult to apply as organizations try to document a useful process. Whatever the belief,
many organizations have failed to manage their risks without a formal risk management process, although having
such a process in place is no guarantee that the effort will succeed. Adopting a “butterfly risk tool” can help internal
auditors evaluate the effectiveness and contribute to the improvement of management’s ERM process.
ANALYZING RISK
Risk analysis is not an exact and objective science. Anyone can perform a risk analysis and generate a list of
numerous risk items, according to his or her perceptions and definition of risk. But this list may not be useful and
sufficient to demonstrate mastery of risks.
Typical pitfalls involved with event identification include:
Incomplete risk (i.e., source only, event only, or consequence only).
Irrelevant risk (i.e., not related to objectives or process scope).
Too general or generic risk ( i.e., not sufficiently adapted to the specific context).
Examples include a broad risk category such as financial risk or a risk area such as supply chain risk, in which the
risks still need to be identified.
Risk confused with the corresponding objective or asset to protect. Examples include protection of confidential
data (objective) versus unauthorized access to confidential data (risk), or reputational risk (risk) versus what
8/3/2019 Risk and Butterfly
http://slidepdf.com/reader/full/risk-and-butterfly 2/5
Page 2Internal Auditor
01/02/2012 1:07:29http://www.theiia.org/intAuditor/feature-articles/2011/october/risk-and-the-butterfly/index.cfm?print
Risk confused with the corresponding objective or asset to protect. Examples include protection of confidential
data (objective) versus unauthorized access to confidential data (risk), or reputational risk (risk) versus what
could go wrong and damage reputation (objective).
Risk factor considered as a risk. Although a risk factor, such as complexity, is not manageable, it is inherent
and needs to be considered when assessing and responding to the risk.
A lack of control considered as the risk. Control will be addressed later in the evaluation process.
A past incident or an actual problem considered as the risk. Risk, by definition, is focused on future potentialevents. However, incidents and problems should be considered during risk assessment. Recalling a past
incident or a known problem can contribute to identifying the risk that a similar incident could materialize in the
future. Risk management is not about solving problems but anticipating and proactively responding to potential
problems.
The concept of risk involves unavoidable gray zones. Typical event identification tools may be used, looking at risk
from different angles such as through key questions, risk models, risk categories, and assets at risk. The gathered
information then needs to be structured and documented to be useful for the remaining steps. This requires nuance
and adaptation to the specific context. The substance of risk has to be extracted from the gray zones and clearly
revealed under daylight.
That’s where the science of risk management also becomes an art: It requires the ability to see the overall picture and
good writing skills to deliver a valuable and credible risk profile. This aspect has to be acknowledged and tackled with
a rigorous approach by management (to implement ERM) and internal audit (to assess management’s ERM plan)
because many risks are hidden in those gray areas. It also requires a holistic approach that considers
interdependencies among risks while still considering significant r isks distinctly.
A PRACTICAL TOOL
The COSO ERM framework “event identification” component addresses external and internal factors, risk/eventcategories, consideration of past events, and risk interdependencies. The “Butterfly Risk Tool,” below, is intended to
clarify, complete, and integrate those related concepts to enrich management’s risk analysis and enable internal
auditors to perform a robust ERM effectiveness evaluation. Underlying this tool is a broader paradigm that considers
and formally documents the risk sources and consequences for each potential event. Applicable at first during event
identification, it encompasses and brings value to risk assessment, risk response, and control activities. Auditors
using the tool could gain ideas to better assess whether management’s event identification is complete and sufficiently
detailed to provide value in the remaining phases of the risk management process.
8/3/2019 Risk and Butterfly
http://slidepdf.com/reader/full/risk-and-butterfly 3/5
Page 3Internal Auditor
01/02/2012 1:07:29http://www.theiia.org/intAuditor/feature-articles/2011/october/risk-and-the-butterfly/index.cfm?print
The image of a butterfly illustrates the paradigm’s two main dimensions: event identification and control activities. For
event identification, the left wing refers to risk sources and the right wing to risk consequences. Risk sources include
external and internal sources, risk factors, and risk indicators (e.g., past incidents, red flags, and near misses).
Monitoring external and internal environments can enable management and auditors to identify new and emerging
risks once typical inherent risks have been identified. Risk consequences consider types of impact and their potential
extent and speed of realization. Many types of potential impacts need to be considered, including monetary, physical,
informational, and loss of reputation and other intangible assets. Moreover, impact will vary depending on stakeholder
scrutiny, powers, expectations, and sensibility.
For risk assessment, l ikelihood relates to the left side and impact relates to the right side. Risk response options of
“reducing likelihood” and “avoiding risk” apply on the left wing; options of “mitigating impact” and “transferring/
diversifying risk” apply on the right wing. Preventive and monitoring control activities apply on the left; mitigation and
corrective controls on the right. Risk interdependencies appear on the left when the consequence of an upstream risk
becomes a source of the risk under analysis. On the right, a consequence of the risk could become a source of
another downstream risk. Another feature of the tool is the inherent application of a process view and of an “extended
organization” perspective (i.e., consideration of key suppliers and outsourcers) at the junction of external and internal
sources.
A prerequisite to applying the butterfly risk tool effectively is a clear and shared definition of its key underlying concepts
(see “Applying the Butterfly Tool”). This example illustrates to what extent a risk should be identified to allow for
effective risk management. The concept of risk can be viewed as a set of potential scenarios that could go wrong in a
specific external and internal environment. A richer multisource and multiconsequence analysis might encompass
more than one risk scenario within a specific risk, therefore requiring those different aspects to be considered in
subsequent phases of the analysis. Alternatively, many potential scenarios might be split up into individual risks to be
assessed separately. The example also highlights some interdependencies among risks. Moreover, it shows
contextualized risk factors and indicators that should be considered during the assessment phase because they
generally contribute to increased likelihood.
Internal auditors need to master these concepts and contribute to a common risk language. For example, they should
be able to explain the difference between a risk and a risk factor, which are frequently confused in risk literature. They
should understand that risk/impact mitigation is only one of many possible risk responses.
8/3/2019 Risk and Butterfly
http://slidepdf.com/reader/full/risk-and-butterfly 4/5
Page 4Internal Auditor
01/02/2012 1:07:29http://www.theiia.org/intAuditor/feature-articles/2011/october/risk-and-the-butterfly/index.cfm?print
Internal auditors need to master these concepts and contribute to a common risk language. For example, they should
be able to explain the difference between a risk and a risk factor, which are frequently confused in risk literature. They
should understand that risk/impact mitigation is only one of many possible risk responses.
BENEFITS FOR RISK ANALYSIS
At first, the butterfly risk tool can be useful to management in preparing a complete risk event identification and during
subsequent steps in the risk management process. It is not intended to be used by internal auditors to document
systematically each risk in a r isk profile, which would not be cost-effective; instead, auditors should use it as a mind
frame for reviews and assessments of management’s risk event identification deliverable.
Risk Assessment
The butterfly tool facilitates risk measurement and can ensure the consistency and credibility of risk profiles. Moreover,
it can enhance management and stakeholder “buy-in” of the risk assessment because sources and risk factors/
indicators are considered collectively to assess likelihood, and consequences are considered collectively to assess
impact. For example, when assessing the risk of infrastructure becoming unavailable, the extent and speed at which
an outage would reach IT systems and workstations should be considered to measure its potential impact.
Risk Response Strategy
When residual risk exceeds risk tolerance, the butterfly tool ensures that all significant external and internal sources
and consequences are being addressed by a risk response strategy. It helps to determine the appropriate risk
response strategy, including options to reduce likelihood and mitigate impacts. The tool also can ensure that risk
factors/indicators are considered to establish a relevant and feasible risk response strategy. In addition, it can help
management target sectors responsible for action plans addressing both external and internal sources. In the
examples depicted in the sidebar, the following sectors would be involved in an integrated risk response strategy:
Infrastructure and systems temporarily unavailable: IT, human resources, finance (purchasing), legal (contract
design), and public relations (crisis management).
Decreased client satisfaction: top management (strategy), research and development (product development),
order management, shipping, and complaint management.
Additionally, the butterfly tool demonstrates that if a risk event cannot be prevented from an external source, available
options remain such as mitigating the impact or transferring a portion of the impact outside the organization. In the
example of unavailable infrastructure, the mitigation strategy typically would consist of business continuity
preparedness and readiness. The organization also could work with external IT outsourcers to reduce the likelihood
through risk sharing and contractual incentives.
Finally, management can use the tool to prepare an influence diagram showing upstream risks from the left and
downstream risks to the right. Upstream risks such as “lack of expertise” could be prioritized for risk response and
action planning because of their leverage over other risks.
Control Activities
With the butterfly tool, control activities can be addressed better globally as a “portfolio” and by using a process view.
The tool facilitates the integration of risk, risk response, and control activities. It also helps management and auditors
understand the collective effect of a mix of preventive, monitoring, detective, corrective, and mitigation controls. In the
infrastructure availability example, sound risk management of a potential system outage would result in a combination
of actions, including implementing access controls, focused training, key IT expertise retention, business continuity,
8/3/2019 Risk and Butterfly
http://slidepdf.com/reader/full/risk-and-butterfly 5/5
Page 5Internal Auditor
of actions, including implementing access controls, focused training, key IT expertise retention, business continuity,
and crisis management.
TARGETING AND CONTROLS
Addressing significant sources and consequences to reduce their likelihood and mitigate their impact is a good start —
but one additional dimension still needs to be considered. Risk management should target any risk area that would
deserve greater attention such as a process, business unit, or system. For the risks addressed in “Applying the
Butterfly Tool,” specific employee categories, IT systems, and client categories would be targeted for both risk
response strategy and control activity design.
A risk paradigm must be maintained until the end of the risk analysis process. Applying systematic and widespread
control activities rarely comes with cost-effective risk management. Controls need to be balanced with corresponding
risk assessments. Consequently, higher risk areas would deserve priority for additional or more intensive control
activities. Conversely, control activities should be eliminated or reduced in intensity for low risk areas. To address the
lack of expertise risk, for example, the organization could identify key employees with high and rare expertise to
participate in formal mentoring and knowledge-transfer programs. Preventive controls such as employee contract
clauses, career planning, and personal conflict detection and mitigation would be intensified.
A MULTIFACETED APPROACH
Overall, the butterfly tool can help management better assess and prioritize risks as well as determine the most
effective risk response and control strategy. Therefore, it can be used to evaluate to what extent the management’s
risk analysis tools contribute to rich and complete risk profiles.
It also can enable internal auditors to perform a more effective ERM evaluation, recommend improvements, and better
challenge and evaluate management’s risk and control self-assessments. Moreover, the approach can support
auditors when they facilitate risk assessment workshops and when they train management in gaining a common
language and understanding of risk and control concepts.
Internal Auditor
247 Maitland Ave, Altamonte Springs Florida, 32701
Tel. 123
www.internalauditoronline.org