17 July 2018

It's all about the Target (risk assessment)

In my previous post I commented on the importance of adding a “Target” risk position to the traditional "Inherent" and "Residual" risk assessments, and the linkage to the Risk Appetite. More importantly, the “Target” level for any risk provides a focus on the future.

Let me explain.

Inherent to Residual: Inherent risk is the level of risk before remediation. This is important to ensure that we are focusing on the areas of risk that represent this greatest threat or opportunity for the entity. Inherent risk scoring is subjective, but then so is almost all risk scoring. Yet an assessment, subjective or quantified, of the risk before controls or other remediation ensures that we invest our limited resources on the areas that pose the greatest to achievement of the entity's objectives.

So we’ve assessed the Inherent risk, and we have applied controls for remediation, mitigation, etc. Now we have our “Residual” or “Net” risk position. Again, this is by nature subjective, and fraught with assumptions. But it does provide an assessment of our current state of risk and the level of risk that is being taken by or accepted by the entity. But this is subjective. And it will be wrong.

There will be too many missing controls, controls that are functioning ineffectively, mitigation that is unfocused or not in place. The assessment of the Residual risk position provides a snapshot of the current situation, with no insights into either the level of risk that is acceptable, the actual level of risk being taken, or the level and type of risks that the entity wants to take.

Target: And to we get to the “Target” risk level or assessment. What level of risk does the entity want to take, and what level of risk is acceptable. This fundamentally an assessment of the desired future-state of the risk environment that the entity wishes to work within. And yes, this too shall be subjective. It will also probably be achievable.

As Risk Managers we need to consider and advise on the level of acceptable or desirable risk to be taken or accepted by an entity, across the spectrum of risks. This means that we need to assess not only the raw (Inherent) risk environment and support the allocation of resources to highest or least desirable risk areas, and of course allocation of resources to those areas where we want to take risk. 

We also need to work with management to objectively assess the desired, or acceptable level of risk to take; the Risk Appetite. This should be done globally, and should be done at the level of each identified and recorded (and managed) risk. This is our Target risk level for each risk.

Now, and only now, can we meaningfully assess our “Residual” level or risk, and determine if that level of risk is appropriate. 

If our current (“Residual” or “Net”) equals our Target, then we are running at our desired level of risk. And if we are not, then we now know that our desired future state does not equal our current risk managed state for this, and all other risks where Residual does not equal Target. 

Example of Residual to Target tracking

In the example above, a number of interesting observations can be made, including that the Residual and Target risk assessments change, as risks are reviewed by the Risk Owners. It is also clear that Residual are Target are not the same. Within the data there will probably be a number of individual risks where the Residual assessment equals the Target assessment; the current risk situation for those risks equals the entity's Risk Appetite for those specific risks.

So why does Residual not equal Target? There are three possibilities:

  1. Our control environment is ineffective and or does not include all the controls that are already in place to manage the risks (and these then need to be identified).
  2. Our aspirational level of risk management for risk is too high.
  3. Conversely, we are over-controlled (where Residual is lower than Target for specific risks) and we are potentially stifling the business through excess controls.

And when we determine that our Residual risk position does not equal our Target risk position, we have four option:

  1. Accept that it will not be possible to achieve the desired Risk Appetite for this risk, and, through a Delegation of Risk Authority process, change our Risk Appetite and therefore our Target level for this risk to equate to the current Residual risk level.
  2. Subtly different, but we may determine that the Risk Appetite is not right, and that we do want to accept, or take, more of this risk, and therefore change the Target.
  3. Identify the controls that are not effective and implement improvement programmes or introduce new controls.
  4. Confirm that we are over-controlled and look at which controls are not actually required, or are burdensome and should be replaced with monitoring controls.

What is the role of Internal Audit in this?

The Internal Audit function provides some assurance that the system of internal controls is effective. This requires Internal Audit to determine what areas of business activity they will review. This selection should be risk-based, which means starting with the risk register and consider a balance between this Highest “Inherent” risk areas, and the highest “Residual” risk areas.

As part of each Internal Audit, the assessed level of Target risk should be considered, and Internal Audit should then perform an audit programme designed to confirm (or otherwise) that management’s assessment of the effectiveness of controls is accurate. If the controls are effective, and these controls have been determined to bring the entity to within Risk Appetite, than Internal Audit’s role is limited to questioning the appropriateness of the Risk Appetite. (Note I say question, not set, as that is the role of senior executives and the Board, other others within their Delegation of Risk Authority).

Where the Residual risk level does not meet the Target, Internal Audit should be determining if this is because the controls are ineffective, or because the control environment provides inadequate coverage of the risk. In which case, new controls may be appropriate.

In all cases, Internal Audit should be determining if Management's assessment of the effectiveness of the control environment matches the evidence provide to Internal Audit. If management's assessment is correct, and there remains a delta between the Residual and Target, and senior management and/or the Board are aware, then there is no Internal Audit finding other than the fact that senior management and/or the Board are aware of the difference, and are aware of and support management's plans for remediation.

It's all about the Future

The core message however is that the Inherent risk position represents a “past” with no controls, the Residual risk position represents the present (as assessed by management), while the Target risk represents the future, or desirable control and risk management state, and is one of the enunciation of the entity's Risk Appetite.

The question we ask of Risk Owners is: What are you doing to get from the Residual risk position to the Target risk position, and when will you get there?

No comments:

Post a Comment