We will utilize our risk assessment models as a baseline to develop a specific risk assessment for your organization and goals. Before answering this question, let me try to say that the process for creating a risk assessment tool is similar but it is important to understand which category of risk assessments is required.
There are two categories of risk assessments we have experience in conducting. First is conducting an enterprise-wide risk assessment that assesses all parts of the organization. This then typically is fed to an internal audit planning exercise which serves to mitigate the risks identified. The second category of risk assessment is those focused on a specific subject matter such as Anti-Money Laundering, Compliance, and Information Technology. Why is a more detailed assessment required for these topics? Typically, the reason is that there are specific rules and requirements attached to them and that the compliance structure requires multiple functions and areas within an organization.
It will be helpful to understand what goals the risk assessment will help achieve for your organization. The risk assessment tool will evaluate the likelihood and impact of a specific area’s risks. Some typical risks we would assess include:
• Operational Risk
• Compliance Risk
• Fraud Risk
• Technology Risk
• Third-party Risk
• Financial Risk
Our team is well-versed in performing risk assessments and will be following the latest guidance related to risk assessments to ensure a thorough review is conducted in this process. We will work with you and your team to first understand the information already available (existing key risk indicators, performance indicators, monthly management reports, etc). We will conduct a workshop with key stakeholders to discuss the risk assessment methodology including audit/risk universe, risk factors, rating scale, and definitions.
A risk assessment survey will be enhanced and sent to stakeholders to help collect initial inputs to the risk assessment tool. Facilitated risk assessment meetings will be conducted to further inform our understanding of risks. The result of the risk assessment will include both the risk assessment model and tool and the risk assessment report which will include risk heat maps, summary, and details to support each risk rating.
Based on the results of the risk assessment, we will develop a long-term monitoring and evaluation program which will outline functions/areas to review for the first year as well as to recommend coverage for subsequent years.
Because this work typically requires senior-level conversations and a deep understanding of your business as well as the risk assessment methodology, senior-level resources are assigned. Laurie Shen, along with other senior advisors of comparable skills will be the primary resources conducting the risk assessment. Laurie will be the key contact for this engagement. She will communicate and facilitate progress and maintain the risk assessment tool. A senior advisor will serve as subject-matter-expert throughout the engagement and during the risk assessment will be responsible for facilitating risk assessment workshops and providing input on the risk methodology and risk factors and the risk ratings to ensure consistency.
To learn more about risk assessments, here are two additional articles:
Is this a tool that we will own and be able to easily manipulate to our changing needs or will we need to pay some sort of subscription service or get others to update the tool for us?
Our risk assessment methodology utilizes Microsoft Excel. Excel’s widespread use means there is minimal learning or maintenance required on the software. As part of our approach, we will be customizing our existing risk assessment tools to best represent the scope and objective of your specific project.
Why not use 3rd party software?
Although we have both worked with 3rd party software, it is our belief that it is important to have a strong foundation in a well-documented risk assessment methodology prior to selecting or implementing a software tool. With that principle in mind, our approach utilizes basic software tools to help communicate and document, what is often viewed as a complex process. We view the result of our work together as the development of a set of functional requirements with a live mockup. Both are valuable inputs to either a Buy vs. Build or 3rd Party Software Selection process.
Once we have finalized the risk assessment results with you, we will provide walkthrough and documentation of the tool describing processes such as add/change/delete of risk categories, weighting, and ranking of risks, inputs of quantitative and qualitative risk rationale, static data such as functions, risk levels, and reporting.
Our existing tools are set up to provide dashboards and summary views of the detailed risk assessments. So, the reporting would be automated. Of course, additional reporting can also be customized in Excel.
On a periodic basis, we recommend either perform a refresh or a revamp of the tool depending on the magnitude of changes within your organization or from external forces such as extensive rule changes. The risk assessment tool would require manual inputs such as results of any monitoring or audits, or external factors, not envisioned in the existing model, that would impact the risk assessment outcomes. In our experience, the risk assessment model is reviewed on a yearly basis with discretion to adjust as needed.
Once we have had a conversation regarding your risk assessment needs, we will be able to send you a sample.
Please send us an inquiry at email@example.com.