5
Page 1 Internal Auditor 01/02/2012 1:07:29 http://www.theiia.org/intAuditor/feature-articles/2011/o ctober/risk-and-the-bu tterfly/index.cfm?p rint Internal Auditor PRINT CLOSE A October 2011 Risk and the Butterfly  A new tool enables both internal audi tors and mana gement to bett er identify risk events as par t of the organization’s risk analysis .  Eric L avoi e, CIA , CCSA , CA Partn er, Risk Mana geme nt and Inter nal Audit Lemieux Nolet  s more and more organizations implement formal enterprise risk management (ERM) processes, internal auditors face the challenge of evaluating the effectiveness of those processes and contributing to their improvement, as directed by IIA Standard 2120: Risk Management. Consequently, auditors need to r ebalance their efforts from traditional risk-based auditing to focusing on management’s ERM process — specifically, to challenging management’s risk analysis. This risk analysis correspon ds with the event identification, risk assessment, risk response, and control activity components of The Committee of Sponsoring Organizations of the Treadway Commission’s ( COSO’s) Enterprise Risk Management–Integrated Framework. Interna l auditors need to master the art of risk analysis to bring value to their organization in its journey toward an effective and sustain able ERM process.  In practice, risk analysis is a paradox. On one end, some managers who are implementing risk management in their sector contend that the process comes natu rally and can remain informal. On the other end, risk management becomes more complex and difficult to apply as organizations try to document a useful process. Whatever the belief, many organizations have fa iled to manage their risks without a formal risk management process, although having such a process in place is no guarantee that the e ffort will succeed. Adopting a “butterfly risk tool” can help internal auditors evaluate the effectiveness and contribute to the improvement of management’s ERM process.  ANAL YZING RISK Risk analysis is not an exact and objective science. Anyone can perform a risk analysis and generate a list of numerous risk items, according to his or her perceptions and definition of risk. But this list may not be useful and sufficient to demonstrate mastery of risks.  Typical pitfalls involved with event identification include: Incomplete risk (i.e., source only, event only, or consequenc e only). Irrelevant risk (i.e., not related to objectives or process scope). Too general or generic risk ( i.e., not sufficiently adapted to the specific context).  Examples include a broad risk category s uch as financial risk or a risk area such as supply chain risk, in which the risks still need to be identified. Risk confused with the corresponding objective or asset to protect. Examples include protection of confidential data (objective) versus unauthorized access to confidential data (risk), or reputational risk (risk) versus what

Risk and Butterfly

Embed Size (px)

Citation preview

8/3/2019 Risk and Butterfly

http://slidepdf.com/reader/full/risk-and-butterfly 1/5

Page 1Internal Auditor 

01/02/2012 1:07:29http://www.theiia.org/intAuditor/feature-articles/2011/october/risk-and-the-butterfly/index.cfm?print

Internal Auditor  P RINT CLOSE

A

October 2011

Risk and the Butterfly 

A new tool enables both internal auditors and management to better identify risk events as part of the

organization’s risk analysis.

 

Eric Lavoie, CIA, CCSA, CA

Partner, Risk Management and Internal Audit

Lemieux Nolet

 

s more and more organizations implement formal enterprise risk management (ERM) processes, internal auditors

face the challenge of evaluating the effectiveness of those processes and contributing to their improvement, as

directed by IIA Standard 2120: Risk Management. Consequently, auditors need to rebalance their efforts from

traditional risk-based auditing to focusing on management’s ERM process — specifically, to challenging

management’s risk analysis. This risk analysis corresponds with the event identification, risk assessment, risk

response, and control activity components of The Committee of Sponsoring Organizations of the Treadway

Commission’s (COSO’s) Enterprise Risk Management–Integrated Framework. Internal auditors need to master the art

of risk analysis to bring value to their organization in its journey toward an effective and sustainable ERM process.

 

In practice, risk analysis is a paradox. On one end, some managers who are implementing risk management in their 

sector contend that the process comes naturally and can remain informal. On the other end, risk management

becomes more complex and difficult to apply as organizations try to document a useful process. Whatever the belief,

many organizations have failed to manage their risks without a formal risk management process, although having

such a process in place is no guarantee that the effort will succeed. Adopting a “butterfly risk tool” can help internal

auditors evaluate the effectiveness and contribute to the improvement of management’s ERM process.

 

ANALYZING RISK

Risk analysis is not an exact and objective science. Anyone can perform a risk analysis and generate a list of 

numerous risk items, according to his or her perceptions and definition of risk. But this list may not be useful and

sufficient to demonstrate mastery of risks.

 

Typical pitfalls involved with event identification include:

Incomplete risk (i.e., source only, event only, or consequence only).

Irrelevant risk (i.e., not related to objectives or process scope).

Too general or generic risk ( i.e., not sufficiently adapted to the specific context).

 

Examples include a broad risk category such as financial risk or a risk area such as supply chain risk, in which the

risks still need to be identified.

Risk confused with the corresponding objective or asset to protect. Examples include protection of confidential

data (objective) versus unauthorized access to confidential data (risk), or reputational risk (risk) versus what

8/3/2019 Risk and Butterfly

http://slidepdf.com/reader/full/risk-and-butterfly 2/5

Page 2Internal Auditor 

01/02/2012 1:07:29http://www.theiia.org/intAuditor/feature-articles/2011/october/risk-and-the-butterfly/index.cfm?print

Risk confused with the corresponding objective or asset to protect. Examples include protection of confidential

data (objective) versus unauthorized access to confidential data (risk), or reputational risk (risk) versus what

could go wrong and damage reputation (objective).

Risk factor considered as a risk. Although a risk factor, such as complexity, is not manageable, it is inherent

and needs to be considered when assessing and responding to the risk.

A lack of control considered as the risk. Control will be addressed later in the evaluation process.

A past incident or an actual problem considered as the risk. Risk, by definition, is focused on future potentialevents. However, incidents and problems should be considered during risk assessment. Recalling a past

incident or a known problem can contribute to identifying the risk that a similar incident could materialize in the

future. Risk management is not about solving problems but anticipating and proactively responding to potential

problems.

 

The concept of risk involves unavoidable gray zones. Typical event identification tools may be used, looking at risk

from different angles such as through key questions, risk models, risk categories, and assets at risk. The gathered

information then needs to be structured and documented to be useful for the remaining steps. This requires nuance

and adaptation to the specific context. The substance of risk has to be extracted from the gray zones and clearly

revealed under daylight.

 

That’s where the science of risk management also becomes an art: It requires the ability to see the overall picture and

good writing skills to deliver a valuable and credible risk profile. This aspect has to be acknowledged and tackled with

a rigorous approach by management (to implement ERM) and internal audit (to assess management’s ERM plan)

because many risks are hidden in those gray areas. It also requires a holistic approach that considers

interdependencies among risks while still considering significant r isks distinctly.

 

A PRACTICAL TOOL

The COSO ERM framework “event identification” component addresses external and internal factors, risk/eventcategories, consideration of past events, and risk interdependencies. The “Butterfly Risk Tool,” below, is intended to

clarify, complete, and integrate those related concepts to enrich management’s risk analysis and enable internal

auditors to perform a robust ERM effectiveness evaluation. Underlying this tool is a broader paradigm that considers

and formally documents the risk sources and consequences for each potential event. Applicable at first during event

identification, it encompasses and brings value to risk assessment, risk response, and control activities. Auditors

using the tool could gain ideas to better assess whether management’s event identification is complete and sufficiently

detailed to provide value in the remaining phases of the risk management process.

8/3/2019 Risk and Butterfly

http://slidepdf.com/reader/full/risk-and-butterfly 3/5

Page 3Internal Auditor 

01/02/2012 1:07:29http://www.theiia.org/intAuditor/feature-articles/2011/october/risk-and-the-butterfly/index.cfm?print

 

The image of a butterfly illustrates the paradigm’s two main dimensions: event identification and control activities. For 

event identification, the left wing refers to risk sources and the right wing to risk consequences. Risk sources include

external and internal sources, risk factors, and risk indicators (e.g., past incidents, red flags, and near misses).

Monitoring external and internal environments can enable management and auditors to identify new and emerging

risks once typical inherent risks have been identified. Risk consequences consider types of impact and their potential

extent and speed of realization. Many types of potential impacts need to be considered, including monetary, physical,

informational, and loss of reputation and other intangible assets. Moreover, impact will vary depending on stakeholder 

scrutiny, powers, expectations, and sensibility.

 

For risk assessment, l ikelihood relates to the left side and impact relates to the right side. Risk response options of 

“reducing likelihood” and “avoiding risk” apply on the left wing; options of “mitigating impact” and “transferring/

diversifying risk” apply on the right wing. Preventive and monitoring control activities apply on the left; mitigation and

corrective controls on the right. Risk interdependencies appear on the left when the consequence of an upstream risk

becomes a source of the risk under analysis. On the right, a consequence of the risk could become a source of 

another downstream risk. Another feature of the tool is the inherent application of a process view and of an “extended

organization” perspective (i.e., consideration of key suppliers and outsourcers) at the junction of external and internal

sources.

 

A prerequisite to applying the butterfly risk tool effectively is a clear and shared definition of its key underlying concepts

(see “Applying the Butterfly Tool”). This example illustrates to what extent a risk should be identified to allow for 

effective risk management. The concept of risk can be viewed as a set of potential scenarios that could go wrong in a

specific external and internal environment. A richer multisource and multiconsequence analysis might encompass

more than one risk scenario within a specific risk, therefore requiring those different aspects to be considered in

subsequent phases of the analysis. Alternatively, many potential scenarios might be split up into individual risks to be

assessed separately. The example also highlights some interdependencies among risks. Moreover, it shows

contextualized risk factors and indicators that should be considered during the assessment phase because they

generally contribute to increased likelihood.

 

Internal auditors need to master these concepts and contribute to a common risk language. For example, they should

be able to explain the difference between a risk and a risk factor, which are frequently confused in risk literature. They

should understand that risk/impact mitigation is only one of many possible risk responses.

8/3/2019 Risk and Butterfly

http://slidepdf.com/reader/full/risk-and-butterfly 4/5

Page 4Internal Auditor 

01/02/2012 1:07:29http://www.theiia.org/intAuditor/feature-articles/2011/october/risk-and-the-butterfly/index.cfm?print

Internal auditors need to master these concepts and contribute to a common risk language. For example, they should

be able to explain the difference between a risk and a risk factor, which are frequently confused in risk literature. They

should understand that risk/impact mitigation is only one of many possible risk responses.

 

BENEFITS FOR RISK ANALYSIS

At first, the butterfly risk tool can be useful to management in preparing a complete risk event identification and during

subsequent steps in the risk management process. It is not intended to be used by internal auditors to document

systematically each risk in a r isk profile, which would not be cost-effective; instead, auditors should use it as a mind

frame for reviews and assessments of management’s risk event identification deliverable.

 

Risk Assessment

The butterfly tool facilitates risk measurement and can ensure the consistency and credibility of risk profiles. Moreover,

it can enhance management and stakeholder “buy-in” of the risk assessment because sources and risk factors/

indicators are considered collectively to assess likelihood, and consequences are considered collectively to assess

impact. For example, when assessing the risk of infrastructure becoming unavailable, the extent and speed at which

an outage would reach IT systems and workstations should be considered to measure its potential impact.

 

Risk Response Strategy

When residual risk exceeds risk tolerance, the butterfly tool ensures that all significant external and internal sources

and consequences are being addressed by a risk response strategy. It helps to determine the appropriate risk

response strategy, including options to reduce likelihood and mitigate impacts. The tool also can ensure that risk

factors/indicators are considered to establish a relevant and feasible risk response strategy. In addition, it can help

management target sectors responsible for action plans addressing both external and internal sources. In the

examples depicted in the sidebar, the following sectors would be involved in an integrated risk response strategy:

 

Infrastructure and systems temporarily unavailable: IT, human resources, finance (purchasing), legal (contract

design), and public relations (crisis management).

Decreased client satisfaction: top management (strategy), research and development (product development),

order management, shipping, and complaint management.

 

Additionally, the butterfly tool demonstrates that if a risk event cannot be prevented from an external source, available

options remain such as mitigating the impact or transferring a portion of the impact outside the organization. In the

example of unavailable infrastructure, the mitigation strategy typically would consist of business continuity

preparedness and readiness. The organization also could work with external IT outsourcers to reduce the likelihood

through risk sharing and contractual incentives.

 

Finally, management can use the tool to prepare an influence diagram showing upstream risks from the left and

downstream risks to the right. Upstream risks such as “lack of expertise” could be prioritized for risk response and

action planning because of their leverage over other risks.

 

Control Activities

With the butterfly tool, control activities can be addressed better globally as a “portfolio” and by using a process view.

The tool facilitates the integration of risk, risk response, and control activities. It also helps management and auditors

understand the collective effect of a mix of preventive, monitoring, detective, corrective, and mitigation controls. In the

infrastructure availability example, sound risk management of a potential system outage would result in a combination

of actions, including implementing access controls, focused training, key IT expertise retention, business continuity,

8/3/2019 Risk and Butterfly

http://slidepdf.com/reader/full/risk-and-butterfly 5/5

Page 5Internal Auditor 

of actions, including implementing access controls, focused training, key IT expertise retention, business continuity,

and crisis management.

 

TARGETING AND CONTROLS

Addressing significant sources and consequences to reduce their likelihood and mitigate their impact is a good start —

but one additional dimension still needs to be considered. Risk management should target any risk area that would

deserve greater attention such as a process, business unit, or system. For the risks addressed in “Applying the

Butterfly Tool,” specific employee categories, IT systems, and client categories would be targeted for both risk

response strategy and control activity design.

 

A risk paradigm must be maintained until the end of the risk analysis process. Applying systematic and widespread

control activities rarely comes with cost-effective risk management. Controls need to be balanced with corresponding

risk assessments. Consequently, higher risk areas would deserve priority for additional or more intensive control

activities. Conversely, control activities should be eliminated or reduced in intensity for low risk areas. To address the

lack of expertise risk, for example, the organization could identify key employees with high and rare expertise to

participate in formal mentoring and knowledge-transfer programs. Preventive controls such as employee contract

clauses, career planning, and personal conflict detection and mitigation would be intensified.

 

A MULTIFACETED APPROACH

Overall, the butterfly tool can help management better assess and prioritize risks as well as determine the most

effective risk response and control strategy. Therefore, it can be used to evaluate to what extent the management’s

risk analysis tools contribute to rich and complete risk profiles.

 

It also can enable internal auditors to perform a more effective ERM evaluation, recommend improvements, and better 

challenge and evaluate management’s risk and control self-assessments. Moreover, the approach can support

auditors when they facilitate risk assessment workshops and when they train management in gaining a common

language and understanding of risk and control concepts.

 

Internal Auditor

247 Maitland Ave, Altamonte Springs Florida, 32701

Tel. 123

www.internalauditoronline.org