After risks have been identified at both the entity level and the transaction level, a risk analysis needs to be performed. The methodology for analyzing risks can vary, largely because many risks are difficult to quantify. Nonethe- less, the process—which may be more or less formal—usually includes as- sessing the likelihood of the risk occurring and estimating its impact. In addi- tion, the process could consider other criteria to the extent management deems necessary.
Levels of Management
As with other processes within internal control, responsibility and accountab- ility for risk identification and analysis processes reside with management at the overall entity and its subunits. The organization puts into place effective risk assessment mechanisms that involve appropriate levels of management with expertise.
Significance of Risk
As part of risk analysis, the organization assesses the significance of risks to the achievement of objectives and sub-objectives. Organizations may assess significance using criteria such as:
•
Likelihood of risk occurring and impact•
Velocity or speed to impact upon occurrence of the risk•
Persistence or duration of time of impact after occurrence of the risk “Likelihood” and “impact” are commonly used terms, although some entities use instead “probability,” “severity,” “seriousness,” or “consequence.” “Likeli- hood” represents the possibility that a given event will occur, while “impact” represents its effect. Sometimes the words take on more specific meaning, with “likelihood” indicating the possibility that a given risk will occur in qualit- ative terms such as “high,” “medium,” and “low,” and “probability” indicating a quantitative measure such as a percentage, frequency of occurrence, or other numerical metric.Risk velocity refers to the pace with which the entity is expected to experi- ence the impact of the risk. For instance, a manufacturer of consumer elec- tronics may be concerned about changing customer preferences and compli- ance with radio frequency energy limits. Failing to manage either of these risks may result in significant erosion in the entity’s value, even to the point of being put out of business. In this instance, changes in regulatory require- ments develop much more slowly than do changes in customer preferences. Management often uses performance measures to determine the extent to which objectives are being achieved, and normally uses the same or a con- gruent unit of measure when considering the potential impact of a risk on the achievement of a specified objective. An entity, for example, with an object- ive of maintaining a specified level of customer service will have devised a rating or other measure for that objective—such as a customer satisfaction index, number of complaints, or measure of repeat business. When assessing the impact of a risk that might affect customer service—such as the possibil- ity that the entity’s website might be unavailable for a time period—impact is best determined using the same measures.
A risk that does not have a significant impact on the entity and that is un- likely to occur generally does not require a detailed risk response. A risk with a higher likelihood of occurrence and/or the potential of a significant impact, on the other hand, typically results in considerable attention. But even those risks with a potentially high impact that have a low likelihood will be con- sidered, avoiding the notion that such risks “couldn’t happen here,” as even low likelihood risks can occur. The importance of understanding risks as- sessed as having a low likelihood is greater when the potential impact of the risk might persist over a longer period of time. For instance, the long-term impact on the entity from environmental damage caused by the entity’s ac- tions may be viewed much differently than the long-term impact of losing technology processing in a manufacturing plant for several days.
Estimates of significance of the risk often are determined by using data from past events, which provides a more objective basis than entirely subjective estimates. Internally generated data based on an entity’s own experience may be more relevant and provide better results than data from external
sources. Even in these circumstances, however, external data can be useful as a checkpoint or to enhance the analysis. For example, a company’s man- agement assessing the risk of production stoppages because of equipment failure looks first at frequency and impact of previous failures of its own man- ufacturing equipment. It then supplements that data with industry bench- marks. This allows a more precise estimate of likelihood and impact of fail- ure, enabling more effective preventive maintenance scheduling. Note, too, that using data from past events can provide incomplete conclusions where events occur infrequently.
In addition, management may wish to assess risks using a time horizon con- sistent with the time horizon of the related objectives. Because the objectives of many entities focus on the short- to mid-term, management analyzes risks associated with those time frames. However, some objectives extend to the longer term, and management must not ignore those risks that might be fur- ther into the future.
Return to Table of Contents Inherent and Residual Risk
Management considers both inherent and residual risk. Inherent risk is the risk to the achievement of entity objectives in the absence of any actions management might take to alter either the risk’s likelihood or impact. Resid- ual risk is the risk to the achievement of objectives that remains after man- agement’s responses have been developed and implemented. Risk analysis is applied first to inherent risk. Once risk responses have been developed, as discussed below, management then considers residual risk. Assessing inher- ent risk in addition to residual risk can assist the organization in understand- ing the extent of risk responses needed.