RISK ASSESSMENT AND RISK MANAGEMENT

OVERVIEW

Risk assessment involves identifying, analyzing, and evaluating potential risks that may
impact an organization's objectives. It encompasses methods to identify hazards,
assess their likelihood and potential impact, and prioritize them for management. The
goal of risk management is to enable organizations to make informed decisions,
optimize opportunities, and mitigate threats to achieve their objectives effectively.
Together, risk assessment and risk management form essential components of
organizational resilience and success in navigating uncertain environments.

LEARNING OBJECTIVES

After a thorough discussion of this lesson, the learner will be able to:
1. Identify and measure risks in order to develop risk matrix and risk responses
2. Explore the elements and the processes of the risk management processes that
organizations can adopt in establishing effective risk management framework

COURSE MATERIALS

Identification of Risks

Risk Assessment is the identification of the relevant risk. If a risk has not been
identified, it won’t be measured or analyzed either. Finding the relevant risks is an
essential component of any risk assessment. This presents itself as a database of risk.
This step is frequently not thorough enough or carried out by people with restricted
understanding of the evaluation process. Therefore, only a portion of the relevant risks
are determined. This results in a number of restrictions, the primary one being that all
other actions related to risk assessments create several limitations. In the event that a
risk is unidentified, it neither be quantified nor examined.

A constructed list can also be used to find applicable risks. There are several formats
accessible, frequently arranged by sector. Information Technology Infrastructure Library
(ITIL), COSO, ISO, CVNET, and other organizations have created lists that can assist in
identifying some of the key hazards that need to be considered in the evaluation. When
utilizing the risks, auditors should constantly take the distinctive features of their
companies and ensure that the list is modified accordingly. As though, not every item on
the prepared list would be relevant, but several parts are going to be suitable.

Internal auditors must always keep in mind that there are INTERNAL and EXTERNAL
CONSTRAINTS in organizations.
SUBJECT: ACCO 40033 OPERATIONS AUDITING
PREPARED BY: DE GUZMAN, BATOON, GATBONTON, SISON and ARUTA
Internal Constraints
● Equipment. The types of equipment that are accessible and their applications
that can restrict the capacity of a process to deliver services and create more
high-quality goods.
● People. Any organization’s ability to produce is limited by an inadequate number
of knowledgeable and driven professionals.
● Policies. Both explicit and implicit can stop the process from generating more
high-quality goods and services.

External Constraints
It is caused by external factors and can be too challenging to control due to their
unpredictability.

Measurement of Risks

Risk measurement is a crucial aspect of decision-making in various fields, including

finance, business, and project management. It involves assessing the uncertainty and
potential negative outcomes associated with a particular decision or action. This
instructional material will provide a comprehensive overview of risk measurement, its
importance, and various methods employed for accurate assessment.

Risk is measured by the amount of volatility, that is, the difference between actual
returns and average (expected) returns. This difference is referred to as the standard
deviation. Returns with a large standard deviation (showing the greatest variance from
the average) have higher volatility and are the riskier investments. But first of all let us
know first the importance of Risk Measurement for a certain firm.

Significance of Risk Measurement

● Allows a firm to have effective decision making and analyze the business
situation at the current state.
● Improves and engages in proper financial management of the company.
● A robust risk measurement framework helps project managers anticipate
challenges and develop contingency plans, ensuring project success.

Method Used for Risk Measurement

Quantitative Method
● Value at Risk (VaR) - VaR is a statistical measure that quantifies the potential
loss in value of a portfolio or investment within a specific time frame and
confidence level.

SUBJECT: ACCO 40033 OPERATIONS AUDITING

PREPARED BY: DE GUZMAN, BATOON, GATBONTON, SISON and ARUTA
 ● Standard Deviation - a statistical measure of the dispersion of returns, standard
deviation is commonly used to assess the volatility and risk associated with an
investment

Qualitative Method
● Risk Matrix - A graphical tool that helps assess and prioritize risks based on
their impact and likelihood.
● Scenario Analysis - This method involves considering different scenarios and
their potential impact on a project or decision.

Below is the sample of criteria to analyze the range of values under the risk
measurement.

Risk Measurement Implementation

To further analyze the process of risk measurement, this process begins with data
collection. Accurate risk measurement requires reliable data. Collect relevant
information about potential risks, their probability, and potential impact. After that, the
risk assessment. Apply chosen risk measurement methods to assess the identified
risks. Consider both quantitative and qualitative factors for a comprehensive
evaluation.Lastly, the mitigation strategies. Develop and implement strategies to
mitigate or manage identified risks. Regularly review and update risk assessments as
the project or decision progresses.

Understanding and effectively measuring risk are critical skills for individuals and
organizations in various domains. By employing a combination of quantitative and
qualitative methods, informed decision-making becomes possible, leading to more
successful outcomes.

SUBJECT: ACCO 40033 OPERATIONS AUDITING

PREPARED BY: DE GUZMAN, BATOON, GATBONTON, SISON and ARUTA
Risk Matrix

Risk management is an essential process in any organization to identify, assess, and

mitigate potential risks that may impact its objectives. One of the key tools used in risk
management is the risk matrix, which aids in evaluating and prioritizing risks based on
their likelihood and potential impact.

The Risk Matrix is a visual representation of different risk levels, usually presented in a
grid format. It consists of varying levels of likelihood (ranging from low to high) and
levels of impact (ranging from minor to catastrophic). By plotting identified risks on the
matrix, organizations can gain a clearer understanding of their overall risk exposure and
determine which risks require immediate attention.
The matrix is thus a critical component of risk assessment, because without it identified
risks cannot be assessed or evaluated.

The risk matrix helps organizations prioritize their efforts in managing risks. Risks falling
in the high or extreme risk zones usually require immediate action such implementing
risk mitigation strategies or contingency plans. Risks in the medium risk zone may need
additional monitoring and periodic reassessment, while risks in the low-risk zone can be
accepted or managed with routine controls. It's important to note that the risk matrix

SUBJECT: ACCO 40033 OPERATIONS AUDITING

PREPARED BY: DE GUZMAN, BATOON, GATBONTON, SISON and ARUTA
should be regularly reviewed and updated as new risks emerge or existing risks evolve.
It should also be tailored to the specific needs and context of each organization since
different industries and environments may have unique risk profiles.

The conduct of a risk assessment means that we should look for the weaknesses
(sometimes referred to as vulnerabilities) that would make an asset susceptible to
damage or loss from the hazard.

APPROACHES OF IDENTIFYING RELEVANT EVENTS

● Objective Based - Identify events that may hinder the ability of the organization
to achieve its objectives partially or completely.
● Scenario Based - Create different scenarios or alternative ways of achieving
objectives and determine how forces interact. A useful approach is to identify and
understand the triggers caused or accelerated by these scenarios, the
organization can better prepare itself to leverage opportunities and avoid
negative consequences.
● Common Risk Checking - Use a prefabricated list of common risks in your
industry or area of scope.
● Risk Charting - Combination of above approaches consists of listing resources
at risk and the threats to those resources. The impact of these hazards and how
to reduce them is the next aspect of the risk assessment process. This is referred
to as mitigation.

Here in the example, the following risks are sorted according to the likelihood that they
will occur and the damage they might cause:

Then a very simple risk matrix could look like this.

To denote the threat level, many risk maps feature a red-yellow-green color-coding that
indicates whether risks are significant, moderate, or low-level concerns respectively.

SUBJECT: ACCO 40033 OPERATIONS AUDITING

PREPARED BY: DE GUZMAN, BATOON, GATBONTON, SISON and ARUTA
(Hence why risk matrices are often called risk heatmaps.) You may also come across
risk heatmaps that use different shades of one color instead of red-yellow-green.

ORGANIZATIONAL HAZARDS

There are many hazards that can threaten the safe and continued operation of an
organization. (Table 3.5) The list of hazards is substantial, and the resources available
to identify and incorporate them in the risk assessment have improved over the past few
years as well.

The risk assessment, with the identification of hazards, assets at risk, impact analysis,
and response activities can serve the organization well and increase the likelihood that
goals and objectives will be achieved. The challenge today is greater than in the past,
however, because in today’s dynamic and highly competitive business and operating
environment, organizations lacking the ability to adapt, and take advantage of
opportunities proactively are as likely to fail as those that poorly manage the risk of
adverse outcomes.

Organizations must be resilient, so as much anticipating adverse outcomes is key to

success, the lack of flexibility to embrace new technologies, understand, and capitalize
on new technologies, financial products, emerging markets, and social dynamics can be
the cause of ruin. Organizations may find out all too late that others have gained market
share, obtained the necessary funding, and reduced their operating costs faster,
rendering them uncompetitive.

SUBJECT: ACCO 40033 OPERATIONS AUDITING

PREPARED BY: DE GUZMAN, BATOON, GATBONTON, SISON and ARUTA
Risk Responses

The risk response planning includes 2 major activities - (1) Identifying and (2) Creating a
Plan. According to the conference paper created by Becker (2004), the possible risk
response strategies were the following:

● Avoidance - Eliminating such tasks that accommodates risk or taking a

completely different approach to it
● Transfer - Transferring the risk to another person or elsewhere
● Acceptance - allowing the risk to happen then deal with the consequences
● Optimization - Developing a plan to reduce the consequence and likelihood of a
risk event occurring

Definition of Terms

Heatmaps - are visual representations of data where values are depicted by color,
making it easy to visualize complex data and understand it.
Vulnerability - degree to which people, property, resources, systems, and cultural,
economic, environmental, and social activity is susceptible to harm,
degradation, or destruction on being exposed to a hostile agent or factor.

REFERENCES

● Risk response strategies: mitigation, transfer, avoidance, acceptance - Twproject:

project management software,resource management, time tracking, planning,
Gantt, kanban
● Murdock H. (2022) Operational Auditing: Principles and Techniques for a
Changing World. Pp. 65-70
● Jorion, P. (2007). Value at Risk: The New Benchmark for Managing Financial
Risk.
● Bodie, Z., Kane, A., & Marcus, A. J. (2014). Investments.
● Hillson, D., & Murray-Webster, R. (2007). Understanding and Managing Risk
Attitude
● Van der Helm, A. (2008). Scenario-based Strategic Planning: Developing
Strategies in an Uncertain World.
● Becker, G. M. (2004). A practical risk management approach. Paper presented at
PMI® Global Congress 2004—North America, Anaheim, CA. Newtown Square,
PA: Project Management Institute.
● Buczynski, K. (2021, February 26). Risk Assessment Matrix. Industry Risk.
https://industryrisk.com.au/risk-assessment-matrix/
● Boogaard, K. (2022, May 18). What is a risk matrix? Blog Wrike.
https://www.wrike.com/blog/what-is-risk-matrix/

SUBJECT: ACCO 40033 OPERATIONS AUDITING

PREPARED BY: DE GUZMAN, BATOON, GATBONTON, SISON and ARUTA