The internal audit perspective
To an internal auditor, a risk analysis is relevant because it provides information on the priorities within an audit universe. The auditor will look at all he has right to audit (the audit universe) and ask himself where his task, providing assurance, is best executed. You need to think this through: it’s not in the areas where management knows they have issues. If he audits there, he will get in the way and management will respond with a resounding „So what, we knew that already” hence no added value through reasonable assurance. What the auditor should focus on are those areas where the risk is high but according to management appropriately mitigated. A residual risk overview will do him no good, because management will score adequately mitigated risk as a low residual risk. There it gets confused with non essential risks or risks with a naturally low residual value. So, the internal auditor wants an inherent risk overview.
The risk management perspective
Residual risk is very relevant for the risk manager. He needs to focus on what remains to be managed. His area of attention is not (necessarily) the inherent risks. He wants and needs to take in account what has already been done, otherwise he will be focusing his attention on those issues already under control, which is not an economic use of time and means.
How to combine both needs?
People in the organization are not willing to spend twice the significant amount of time in a risk assessment exercise, once for the risk manager, once for the internal auditor. Both need the information, also because it is required by the applicable standards, such as the IIA standards on internal auditing. Can we create an assessment which answers the questions of both the risk manager and the internal audit? I believe it’s possible, but in order to better explain I first need to clarify the traditional definitions of residual and inherent risk.
What is residual risk?
Residual risk is most often defined as the risk that remains in an organization taking in account all mitigating actions that have been taken - within burget constraints - in order to optimally manage the risk. It consists of a number of composing factors. Like any risk definition, residual risk is defined as a function of the factor impact and the factor likelihood.
These are well known concepts. But, let’s focus a bit on them.
Impact is a rather generic definition. Impact on what? I often define impact relative to the mission, vision, objectives and goals an organization has. In case an event impacts an organization in a way that it hinders the organization in achieving its objectives, the risk of that event is a significant risk, and needs to be taken into account in a risk management exercise. Impact is also relative to the organization. The organization defines its objectives, and a risk will be more or less significant depending on the influence it has on the objectives and the importance of those objectives for the entire organization.
Let’s look at likelihood for a moment. I often read that likelihood is a function of how likely it is a risk will occur. But the problem is that that definition does not truly define likelihood. You just use other words to say the same thing. What influences likelihood? I follow Bill Sewall when he states that likelihood is a function of two other aspects. I call these vulnerability and (situational) exposure (Sewall uses vulnerability and threat). Let’s make that more concrete.
In any situation, your organization, your department, your process or you, yourself, can be vulnerable. If the risk would occur, there will be damage. Vulnerability reflects how significant that damage would be. Sitting under a tree during a thunderstorm: very vulnerable. The point is, whereas sitting under a tree is indeed very dangerous, the vulnerability, or at least that kind of vulnerability, gains relevance only during a thunderstorm. It is there all the time. You are human, lightning can hurt you. But lightning can only hurt you if you expose yourself to a situation where lightning is present.
About situational exposure
Hence, the situational exposure is important as well. Let’s take another example. Imagine you are driving a car while blindfolded. Not necessarily a good idea, because you can hit something. You are vulnerable. However, if the situation is such that you are driving a car blindfolded in the middle of a salt flat with kilometers and kilometers of space on all sides, you are less exposed than if you were to be doing this in the middle of a densely wooded area or a city.
Likelihood of occurrence is therefore not only a function of the inherent vulnerability but also of the exposure, which depends on the situation. When assessing likelihood, you need to assess both vulnerability as well as exposure.
But what then is inherent risk? Let’s reverse traditional definitions and look at it starting from the definition of residual risk. Residual risk is a function of the vulnerability, the situation and the impact of the risk. Now imagine that if the risk event would occur, no mitigating factors would be in place. What would that mean for the definition? In essence, the vulnerability would be total. The impact would be there under all conditions, without the mitigating effect of a reduced vulnerability.
To illustrate: a car drives through a pitted landscape. Some cars have been built to be less vulnerable to the shocks and jilts of the holes in the ground. Their residual risk is lower than that of other cars, which still provide some mitigation by means of their shock absorbers. However, in the extreme case there is nothing, just an engine, a chassis and wheels. The first pit you encounter will be the last, and the impact will be total.
Inherent risk can be defined as a function of exposure and impact, not taking in account the aspect of vulnerability.
Relevant risk questions
What then are the relevant questions that should be asked during a risk assessment to provide both internal audit and the risk manager with relevant input? I distinguish four different questions.
- How vulnerable are you now to a certain risk? (Factor A) Considering the risk would occur, how vulnerable are you, here and now, to this risk? In an extreme situation, you are entirely exposed to a risk. If it occurs, the full impact will be felt. At this point, the inherent risk equals the residual risk. At the other end of the spectrum is a situation where you are completely covered. You are untouchable, invulnerable, you have almost Superman-like protection.
- How exposed are you (here and now)? (Factor B) The second question assesses the situation in which you, the process, the department or the organization as a whole is with respect to this risk. How often do risk events happen, here and now? It’s the question assessing whether or not you are in dangerous territory. Not knowing how to swim is a vulnerability, but if you are not exposed to water, you should break a sweat. If you are in the middle of the ocean in a small boat, that is a very different story. The answer can be highly exposed on the one end and not or barely exposed on the other.
- How much effort do you put in mitigation? (Factor C) This is an essential question for risk management. It queries the investment to date in the mitigation of a specific risk. Imagine you are still driving the car, blindfolded, in the middle of the woods. As a mitigating strategy, the organization decided to let you be assisted by an - also blindfolded, of course - psychic. They have found the most expensive psychic in the world, with the best reputation ever. They throw all at it but the proverbial kitchen sink. The put a lot of effort in the mitigation. Likely, it will not really work, and the effort will not have yielded the desired effects. For a risk manager, this is an indication to start doing something different. The scale can range from a high level of effort to no effort at all.
- If the risk occurs and mitigation fails, what will be the impact? (Factor D) What happens when disaster strikes? What happens when all defenses are breached? What if all controls, all systems fail? What will be the worst possible outcome? This is the final question asked. The answer can be catastrophic, or may be - at the other side of the spectrum - immaterial.
The question NOT to ask: How effective is your mitigation? (Factor A’)
Mitigation effectiveness is a relevant question from the point of view of internal audit. I call it factor A’, or A inverse, because it is the exact inverse of factor A. Vulnerability is a function of mitigation effectiveness. We can use the inverse of vulnerability as an indicator of the effectiveness of the risk mitigators. A low to non-existent vulnerability matches a high mitigation effectiveness, whereas a high degree of vulnerability indicates a low level of mitigation effectiveness.
The question then remains: based on these four questions and five parameters, of which one is a derived parameter, which matrices can be generated?
- Residual Risk Effort matrix (Risk Management) - From a risk management point of view, we have all required information to generate a residual risk effort matrix, the matrix used by risk managers to focus their activities on mitigating the risk areas with the highest exposures. On the vertical axis, we show the residual risk level. This residual risk level is a function of vulnerability, exposure and impact, or factors A, B and D. On the horizontal axis we show effort, factor C.
- Inherent Risk Control matrix (Internal Audit) - The information gathered also allows us to present an inherent risk control matrix, such as the ones used for internal auditing. On the vertical axis, we show the level of inherent risk. We calculate this based on exposure and impact, again, assuming the vulnerability is total (i.e. there are no mitigations). For this, we use factors B and C. On the horizontal axis, we show the level of current risk management, which can be presented by the mitigation effectiveness, or factor A’ or A inverse.