20XX Entity Risk Assessment

Management Questionnaire - Version 5

Completed By:
Name:
Division:

SECTION I. Corporate Control Environment

The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an
entitys employees, including risk management philosophy and risk appetite, integrity and ethical
values, and the environment in which they operate.
SA
Strongly
Agree

Risk Assessment
A. Management fully considers risks in determining the best course of
action.
B. The existence of risks and managements recognition of this is
appropriately communicated to employees.
Board of Directors
C. The Board is active and possesses an appropriate degree of
management, technical, and other expertise, coupled with the mind-set
necessary to perform its oversight responsibilities.
D. The Board is prepared to question and scrutinize managements
activities, present alternative views, and act in the face of wrongdoing.
Objective Setting
Business objectives are appropriately communicated as it relates to
objectives targeted by the following organization layers:
E.
F.
G.

- Company Level
- Divisional Level
- Departmental Level

A
Agree

N
Neutral

D
Disagree

SD
Strongly
Disagree

20XX Entity Risk Assessment

Management Questionnaire - Version 5
Completed By:
Name:
Division:
Integrity and Ethical Values
H. The entitys standards of behavior reflect integrity and ethical values.
I. Ethical values not only are communicated but also accompanied by
explicit guidance regarding what is right and wrong.
J. Integrity and ethical values are communicated through a formal code
of conduct.
K. Upward communications channels exist where employees feel
comfortable bringing relevant information forward.
L. Integrity and ethical values are communicated through management
actions and the examples they set.
Commitment to Competence
M. Competence of the companys employee base reflects the knowledge
and skills needed to perform assigned tasks.
N. Management places an appropriate amount of attention on acquiring
and retaining the skill levels necessary to accomplish the company's
goals and objectives.
Organizational Structure
O. the companys organizational structure defines key areas of
responsibility and establishes accountability.
Assignment of Authority and Responsibility
P. the companys assignment of authority and responsibility clearly
establishes the degree to which individuals and teams are authorized
and encouraged to act to address issues, solve problems and take
advantage of presented opportunities.
Q. the companys assignment of authority and responsibility clearly
establishes limits of authority.
R. Individuals know how their actions interrelate and contribute to
achievement of the company objectives
Human Resource Standards
S. Standards appropriately address hiring, orientation, training,
evaluating, counseling, promoting, compensation, and remedial actions,
driving expected levels of integrity, ethical behavior, and competence.

20XX Entity Risk Assessment

Management Questionnaire - Version 5
Completed By:
Name:
Division:
T. Disciplinary actions send a clear message that violations of expected
behavior will not be tolerated.

Significance
of Impact

Likelihood of Effectiveness Please use this section to add any comments

Occurrence
of Ability to
which you feel would further clarify your
Mitigate
response.
Occurrence
or Impact

SECTION II. Strategic Business Risk

Events may occur which will directly impact the company's ability to fulfill key priorities.
.

1 Industry/Market/Competitor Risk - A. New entrants threaten the

company's competitive position.

2 Industry/Market/Competitor Risk - B. Destructive pricing in the industry

threaten fullfillment of the company's key priorities.

3 Industry/Market/Competitor Risk - C. Unexpected actions of

competitors in the market threaten the company's competitive position.

4 Industry/Market/Competitor Risk - D. Unexpected changes in the

market threaten the company's competitive position.

5 Integration Risk. Poor merger integration processes threaten fulfillment

of the company's key priorities.

6 Risk Management Risk. Immature risk management processes and

lack of accountability impact fulfillment of the company's key prorities.

Name

20XX Entity Risk Assessment

Management Questionnaire - Version 5
Completed By:
Name:
Division:
7 Catastrophic Loss Risk. A major disaster threatens the company's

ability to sustain safe operations, provide essential services, and/or

recover operating costs.
8 Data Exposure Risk. A significant exposure of sensitive data entrusted

to the company's care causes the company to publicly disclose security

weaknesses or outsider intrusion.
9 External Data Risk. Interruption to the availability and/or quality of

external data significantly impairs the functionality or value of the

company provided services.
10 Technology Shift Risk. Dramatic shifts or adjustments in emerging

technology are not capitalized upon due to the companys reliance on

current paradigms.
11 Social/Political Risk. Adverse social or political actions (including

terrorism) significantly impact the travel industry threatening the

company's resources and future cash flows.
12 Product/Service Failure Risk. Service or product failures threaten the

company's ability to maintain customer satisfaction, expand market

share or otherwise negatively impact operations.
13 Product Portfolio Risk. The risk that the company will not maximize

business performance by effectively prioritizing and balancing its

products in a strategic context.
14 Strategic Planning Risk. An ineffective strategic planning process may

result in irrelevant information that threatens the company's capacity to

formulate viable business strategies.
15 Leadership Risk. The risk that the company employees are not being

led effectively, resulting in a lack of direction, customer focus,

motivation, management credibility and trust throughout the company.
16 Reputation Risk. The risk that the company loses customers, key

employees, or its ability to compete due to perceptions impacting the

companys reputation in the marketplace.

20XX Entity Risk Assessment

Management Questionnaire - Version 5
Completed By:
Name:
Division:
17 Life Cycle Risk. The risk that the company does not effectively manage

the movement of its product lines and monitor the evolution of its
industry through-out the relevant life cycle (e.g., start-up, growth,
maturity and decline) resulting in failed business strategies and missed
opportunities.
18 Business Interruption Risk. Business interruptions stemming from

technological failures, equipment failures, or other events occur which

result in an unfavorable impact on operations.
19 Change Readiness Risk. the company is unable to implement process

or service improvements quickly enough to keep pace with changes in

the marketplace.
20 Perimeter Breach Risk. the company perimeter technical and physical

defenses are not effective in maintaining system integrity and data

confidentiality resulting in loss of customer/market confidence.
21 Application & Product Offering.

Portfolio and product controls are not

effective in ensuring products are appropriately implemented and
function consistent with the company management intentions.

SECTION III. OPERATIONAL RISK

Events may occur which will impact the effective or efficiency use corporate resources. The risk of loss resulting
from inadequate or failed internal processes, people and systems, or from external events

22 Customer Satisfaction Risk. the company's processes do not

consistently meet or exceed customer expectations potentially

impacting future earnings potential.
23 Outsourcing Risk. Failure to manage outsourced activities may result in

the third parties not acting within the intended limit of authority or not
performing in a manner consistent with the company's strategies,
objectives, or regulatory requirements.

20XX Entity Risk Assessment

Management Questionnaire - Version 5
Completed By:
Name:
Division:
24 Contract Commitment Risk. Lack of relevant and/or reliable information

about existing contract commitments may preclude decision makers

from making informed decisions about potential incremental
commitments and may result in decisions that are not in the best
interest of the company.
25 Resource Allocation Risk. the company's resource allocation process

does not establish and sustain competitive advantage or maximize

returns.
26 Employee Satisfaction Risk. the company does not adequately provide

for physical security and other aspects of a conducive work environment

necessary to ensure continued employee satisfaction.
27 Human Resources Risk. A lack of training, knowledge, skills, career

opportunities, or experiences of the company key personnel threatens

the achievement of critical business objectives.
28 Authority/Limit Risk. The risk that ineffective lines of authority and/or

failure to establish clear policies or limits of authority causes managers

or employees to do things they should not do or fail to do things they
should.
29 Performance Incentives Risk. Unrealistic, misunderstood, subjective, or

non-actionable performance measures cause managers and employees

to act in a manner inconsistent with the company's objectives,
strategies, ethical standards and prudent business practices.
30 Management/Employee Fraud Risk. Management fraud (i.e.,

intentional misstatement of financial statements or misappropriation of

assets) adversely affects the company's reputation or exposes the
company to financial loss.
31 Unauthorized Use Risk. the company's physical, financial, or

information assets are used for unauthorized or unethical purposes by

employees or others.
32 Pricing Risk. Lack of relevant and/or reliable information supporting

pricing decisions may result in unprofitable contractual arrangements.

20XX Entity Risk Assessment

Management Questionnaire - Version 5
Completed By:
Name:
Division:
33 Organization Structure Risk. the company's organizational structure

negatively impacts the ability of the company to react to change, or

negatively impacts the company's ability to fulfill business strategies.
34 Process Efficiency/Effectiveness/Performance Risk. Inefficient or

ineffective or poorly designed operations and unnecessarily slow

processes threaten the company's ability to achieve business
objectives. Evaluate the risk specific to processes within the following
cycles/processes.
34.a - Procurement & Payables
34.b - General Ledger & Financial Reporting
34.c - Subscriber Contracting & Billing
34.f - Payroll & Benefits Processing
34.g - Quote to Cash Contracting Process
34.h - Product Development
34.k - Technical Operations - Data Center Operations
34.l - Technical Operations - Other Infrastructure Support
35 Communications Risk. Ineffective communication channels result in

messages that are inconsistent with authorized responsibilities and do

not effectively convey information as intended.
36 Capacity Risk. Current practices result in under-utilized resource

capacity driving higher capital costs and lower profit margins; or

inadequate resource capacity results in an inability to satisfy customer
needs and demands.
37 Supply Availability/Critical Vendor Risk. Limited availability or problems

with a critical vendor threatens the company's ability to provide quality

service at competitive prices.
38 Technical Infrastructure Risk. The risk that information technology,

hardware, networks, software, people, and processes do not effectively

and efficiently support the current and future processing needs of the
business.

20XX Entity Risk Assessment

Management Questionnaire - Version 5
Completed By:
Name:
Division:
39 Product Development Risk. the company's product development

processes (testing, change control and development methodology)

result in the creation of products that customers do not want, are
unnecessarily late in reaching the market, or lack integrity.

40 Production Change Control.

the company's technology controls are

ineffective in ensuring only approved application programs are loaded
into the production environment in accordance with the intentions of
management.

41 Identity Management.

the company's access controls are not effective

in preventing inappropriate access to data or systems.

SECTION IV. REPORTING RISK

Events may occur which will impact the reliability of reporting capabilities.

42 Information Relevance Risk. Information is distributed in a manner

which allows its use for an unintended purpose or one for which it lacks
relevance.
43 Cash Flow Risk. The risk that the company is exposed to financial loss

as the result of the inability to access cash in a timely manner and fund
the operational or financial obligations of the company.
44 Credit and Collections Risk. the company is exposed to actual loss or

opportunity cost as a result of the default (or other failure to perform) by

an entity with which the company does business.
45 Opportunity Cost Risk. The risk that the company processes do not

effectively ensure funds will be used in a manner most beneficial to

future earnings and operations of the company.

20XX Entity Risk Assessment

Management Questionnaire - Version 5
Completed By:
Name:
Division:
46 Budget and Planning Risk. The risk that budgets and business plans

are not (1) realistic, (2) based on appropriate assumptions, (3) based on
relevant cost drivers and performance measures, (4) accepted by key
managers. This also includes the risk that budget to actual information
and performance measures are not available and therefore threaten
management's ability to monitor performance.
47 Completeness and Accuracy Risk. Incomplete and/or inaccurate

information (financial or non-financial) contributes to inappropriate

business decisions. This would apply to both information used internally
in support of operations, and information communicated to the investor
community.
48 Integrity Risk. The risk that systems are vulnerable to manipulation and

that the data and/or transactions are not adequately protected form
intentional or accidental manipulation or deletion.
49 Access Risk. The risk that systems and processes do not sufficiently

safeguard access to information.

50 Availability Risk. The risk that information will not be available when

needed if loss of communication (e.g., cut cables, telephone system

outage) loss of basic processing capability (e.g., electrical outage,
capacity limitations) or operational difficulties (e.g., disk drive
breakdown, operator errors) were to occur.

SECTION V. COMPLIANCE RISK

Events may occur which will impact the company's ability to comply with the rules and regulations to which it is
obligated.
51 Legal/Regulatory Risk. The risk that changes in laws/regulations or

litigation claims and assessments result in a reduction to the company's

ability to efficiently conduct business.

20XX Entity Risk Assessment

Management Questionnaire - Version 5
Completed By:
Name:
Division:
52 Regulatory Compliance Risk. Nonconformance with current laws and

regulations (e.g., European Community, PCI Security) exposes the

company to sanctions, fines, and penalties and threatens the
company's reputation, business opportunities, and expansion potential.
53 Taxation Risk. The risk that the company is not in compliance with all

tax regulations and requirements; or that significant transactions are

entered into which have adverse tax consequences that could have
been avoided had they been properly reviewed and structured.