There is a proliferating array of risk assessments expected by examiners. Our risk assessment consulting and risk analysis programs are based on industry best practices and performed by knowledgeable experts trained in the field. Each risk assessment seeks to address the following basic tasks:
Our approach aligns with the COSO (Committee of Sponsoring Organizations of the Treadway Commission) approach. Risk is decomposed into inherent vs. residual risk (i.e., before and after taking account of the internal controls in place). Inherent risk reflects the likelihood of a loss event together with the impact it would have. Once all material risks have been identified, whatever their source, we then map the one or more controls intended to mitigate each risk. Residual risk is what’s left over after accounting for a) how effectively the internal controls are designed, vis-à-vis the inherent risks faced, and b) how effectively they are operating. While the former is an integral part of the risk assessment process, the latter requires audit testing to validate. In that sense, a risk assessment will generally produce only a partial determination of residual risk (i.e., reflecting how well designed the controls are but not their operating effectiveness).
We prepare enterprise risk assessments (ERAs), as regulators expect to see as foundation for the annual audit plan. This is a high-level exercise, looking across the whole organization to identify and assess all sources of risk, be they credit, operational, compliance or whatever. Generally, an ERA will not drill down to tag each risk with the corresponding control(s); it can be done that way but quickly becomes a voluminous and cumbersome exercise. However, the identification of internal controls is a key part of other, lower-level, more disaggregated risk assessments, moving down the risk assessment hierarchy – e.g., from an ERA to a compliance risk assessment to a regulation-specific risk assessment.
At IRC we have experience with many different types of risk assessment. We have a well-developed methodology, road-tested templates, and staff highly knowledgeable about the underlying functions being risk-assessed.
Copyright © 2022 Insight Risk Consulting - All Rights Reserved.