Insight Risk Consulting

Insight Risk ConsultingInsight Risk ConsultingInsight Risk Consulting

Insight Risk Consulting

Insight Risk ConsultingInsight Risk ConsultingInsight Risk Consulting
  • Home
  • Services
    • Offerings
    • Risk Assessments
    • Social Eng. Testing
    • Web Application Testing
    • Network Pen. Testing
    • Consulting
  • About Us
  • Contact Us
  • Newsletter
  • More
    • Home
    • Services
      • Offerings
      • Risk Assessments
      • Social Eng. Testing
      • Web Application Testing
      • Network Pen. Testing
      • Consulting
    • About Us
    • Contact Us
    • Newsletter
  • Home
  • Services
    • Offerings
    • Risk Assessments
    • Social Eng. Testing
    • Web Application Testing
    • Network Pen. Testing
    • Consulting
  • About Us
  • Contact Us
  • Newsletter

Risk Assessments

There is a proliferating array of risk assessments expected by examiners. Our risk assessment consulting and risk analysis programs are based on industry best practices and performed by knowledgeable experts trained in the field. Each risk assessment seeks to address the following basic tasks: 


  • Identify the specific assets that need to be protected (employees, proprietary information, financial assets, reputation, etc.) 
  • Identify and quantify the types of risks that could impact each asset 
  • Determine the criticality of each potential risk event (to help ensure a cost-effective approach to risk mitigation)  
  • Identify the internal controls required in order to protect the assets in question   


Our approach aligns with the COSO (Committee of Sponsoring Organizations of the Treadway Commission) approach. Risk is decomposed into inherent vs. residual risk (i.e., before and after taking account of the internal controls in place). Inherent risk reflects the likelihood of a loss event together with the impact it would have. Once all material risks have been identified, whatever their source, we then map the one or more controls intended to mitigate each risk. Residual risk is what’s left over after accounting for a) how effectively the internal controls are designed, vis-à-vis the inherent risks faced, and b) how effectively they are operating. While the former is an integral part of the risk assessment process, the latter requires audit testing to validate. In that sense, a risk assessment will generally produce only a partial determination of residual risk (i.e., reflecting how well designed the controls are but not their operating effectiveness).    


We prepare enterprise risk assessments (ERAs), as regulators expect to see as foundation for the annual audit plan. This is a high-level exercise, looking across the whole organization to identify and assess all sources of risk, be they credit, operational, compliance or whatever. Generally, an ERA will not drill down to tag each risk with the corresponding control(s); it can be done that way but quickly becomes a voluminous and cumbersome exercise. However, the identification of internal controls is a key part of other, lower-level, more disaggregated risk assessments, moving down the risk assessment hierarchy – e.g., from an ERA to a compliance risk assessment to a regulation-specific risk assessment.   


At IRC we have experience with many different types of risk assessment. We have a well-developed methodology, road-tested templates, and staff highly knowledgeable about the underlying functions being risk-assessed. 

Copyright © 2024 Insight Risk Consulting - All Rights Reserved.

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

Accept