Internal Controls – Risk Assessment
Our first article focused on the reasons to love internal controls. Our second article focused on the control environment, which is the first of five core components of The Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework that many organizations follow when developing and implementing internal controls that are right-sized to them. In this article, we’ll focus on the second of the five components.
- Control Environment
- Risk Assessment
- Control Activities
- Information & Communication
- Monitoring Activities
A comprehensive, iterative risk assessment is crucial as it creates an awareness of the internal and external risks that could impact the organization’s ability to meet its objectives. It helps prioritize risk management and aids in developing a roadmap and processes for the establishment of internal controls to mitigate or minimize the risks to an acceptable level.
A risk assessment is comprised of:
- Identifying quantitative and qualitative risks that could influence the organization’s ability to conduct business
- Evaluating risks (analysis), which may include the construction of a risk/heat map
- Determining risk tolerance and establishing control measures
The Board of Directors and senior management team should focus on key risks during the risk assessment.
The first step is compiling a comprehensive list of risks organized by risk categories, such as:
- Financial reporting
- Insurance (underwriting, reserving, investment and credit)
- Data and cyber security
- Other operational and business
The next step is evaluating and prioritizing the risks. When evaluating key risks, ask, “What is the likelihood of the event occurring?” and “What is the impact if it were to occur?”. Consider insignificant risks during the process as on their own they could create significant opportunity when interrelated with other events or conditions that may result in vulnerabilities.
The process of “risk prioritization” ensues using the results of the assessment. Risk prioritization (ranking) assess the probabilities and consequences of risk events if they were to occur compared to target risk levels and tolerance thresholds. By ranking risks, management can deploy the resources needed to manage or mitigate high probability/high consequence risk events.
For financial reporting risks, a risk analysis for each financial statement line could be performed and risks ranked based on potential material misstatements due to errors or fraud (low, moderate or high) followed by identifying key controls. An alternative is for management to identify significant cycles, such as underwriting, claims, investments, treasury, and financial statement closing and reporting, and determining “what could go wrong” in those cycles. Management then implements key controls to mitigate those risks. When identifying financial reporting key controls, it is important to consider segregation of duties.
An organization’s risk assessment is an iterative process and should be reviewed and updated when changes occur or new risks emerge. Controls should be monitored and remediation plans should be put in place for findings.