Forgotten password?

Risk Identification

This guidance is aimed at those new to the profession although it is also a useful guide for experienced internal auditors to go through to validate what you do or gain some new ideas.

We look first at the basics of what the organisation should do (what, who, when, how) and then look at the role of risk identification throughout the various stages of an internal audit engagement.

Risk identification is the first step in the risk management process; it is fundamental to organisational success and providing relevant independent assurance.

Key takeaways

Identifying risk is part of a process not an isolated activity
Risks can be threats or opportunities
There is a formula for writing a risk statement
There are lots of different risk identification techniques
Personal bias can influence the risks you identify

What do we mean by risk identification?

Risk identification is the acknowledgement and recording of events that, if they occur, have the potential to impact on an organisation’s ability to achieve its objectives, purpose or aims.

It is the first stage of a generic risk management process that is part of an overall risk framework; for which the board is accountable.

Risk Framework

Risks can have a negative effect (threats to an organisation), or have a positive effect (opportunities for an organisation). Internal auditors should be mindful of the language they use: risk is often portrayed as a threat which is incorrect and only one half of the definition.

Risk identification is the acknowledgement and recording of events that, if they occur, have the ability to either positively impact the organisation ie increased revenue through product diversification eg Burberry moved to the production of PPE; or negatively impact the organisation eg regulatory breach eg VW emissions scandal.

The risk management process must be appropriate to an organisation - a one size approach does not fit all.

What criteria does a risk need?

We will look at some of these elements in more detail but essentially:

it must relate to an objective (ie organisational, process, compliance, personal)
it must be up-to-date
it must be clear and actionable
it must be owned by a single individual to drive accountability

Even the most critical of risks can be overlooked if poorly worded.

A strong risk statement will answer the question:

What could happen? (event)
How could it happen? (cause)
Why does it matter? (consequence)

The formula for writing a risk statement is Event + Cause = Consequence.

[Event that has an effect on an objective] caused by [Cause/s] resulting in [Consequence/s].

[Theft of customer data] caused by [system vulnerability due to patches not being updated] resulting in [an Information Commissioner’s Office fine of up to 4% of turnover and the potential reduction in future sales due to loss of customer confidence].

Further guidance on writing risk statements can be found here.

Who in an organisation should identify risk?

A fully embedded risk management process encourages all employees to be risk managers; identifying and assessing risk within their remit and reporting/escalating risks outside their personal accountabilities.

Depending on the size of the organisation, as part of the second line, there may be a risk function or specialist role which facilitates the entire risk framework and supports management.

Typically, the significant risks to the organisation, and of most interest to internal audit, are identified by management, executives, and the governing body (board). They are usually split into strategic, operational and project risks.

Risks are ideally identified in a group environment rather than by individuals operating in isolation. This is because we all have bias and limited knowledge; acknowledging it is important.

In a group it is possible to brainstorm, contribute to, and constructively challenge ideas.

Internal auditors should also seek to identify risks to ensure completeness.

Throughout an audit engagement internal auditors should always be ready to facilitate an individual or group to identify relevant risks; never assume that people know how to do this.

When should risks be identified?

There are two stages to risk identification: initial and continuous.

Initial risk identification is a one-off exercise when there are no documented risks such as in a new organisation, function, project, or process.
Continuous risk identification is a process of reviewing existing and identifying new risks as they arise. Think back to the earlier risk framework wheel, in a risk mature organisation there is a seamless flow between stages five and one.

The frequency of review should be appropriate to the risk appetite of the organisation. In deciding this, the board will take into account the complexity/volatility of the organisation and its environment together with a commitment of resource.

Some organisations may do an annual or bi-annual review whereas others may integrate it into standard operational meetings. Depending on the frequency specific process steps for stage one may be required to capture new risks as they arise.

Project managers should use defined project management methodologies that include risk management.

Some risks cannot wait!

Risk is something that hasn’t yet happened.

When a risk materialises, it is no longer a risk, it is an issue.

Sometimes you or management might identify a risk that is so time critical you cannot go through the normal internal audit process of providing assurance and agreeing actions to improve its management; it just needs to be managed.

The coronavirus pandemic is a great example of this. The chief audit executive at company X knew that cashflow was critical and that the financial processes were unsatisfactory. Internal audit identified slow paying customers and supported management to focus on accounts receivable.

In times of crisis, internal auditors should check if they are not already aware of what the first and second line are doing and where necessary be prepared to roll your sleeves up and use your internal audit skills to help manage the risk(s). It does not compromise independence to protect the organisation from such immediate threats.

How are risks identified?

Risk must always relate to an objective; this provides context and maintains relevance. Think of it as putting a boundary around the identification process.

Imagine that you are identifying the risks for your next holiday…global shortage of a particular vaccine, strike by airline cabin staff, civil unrest in the country…the list could be endless and quite random but a waste of your time if you’re only going to Brighton!!!

There are lots of different approaches that can help identify risk within a given time frame.

Approach	Description
Facilitated workshop	Useful to get different stakeholders (across a process, a whole team, a topic of mutual interest) together to surface detailed information about the risks ie source, causes, consequences, stakeholder impacted, existing controls
Brainstorm	Creative technique to gather risks spontaneously, everyone should be encouraged to contribute as there are no ‘wrong ideas’ and job roles and hierarchies are left at the door
Interviews	One-to-one discussions to identify risks, useful when detail is required, or sensitive information is involved.
Surveys/Questionnaires	Carefully constructed questions designed to gather data on risks
Data analysis/Artificial Intelligence	Analysis of data and/or use of algorithms can identify trends and predict potential risk events
SWOT analysis	(Strengths, Weaknesses, Opportunities, Threats) A common business analysis tool, the ‘O’ and ‘T’ are risks
PESTLE analysis	(Political, Economic, Sociological, Technological, Legal, Environmental) A common business analysis tool to help identify external risks
Scenario analysis	Involves developing hypothetical but possible future events to anticipate the type of risks that might arise, and resultant opportunities and threats An example of a scenario could be that activists take down the world wide web and global access to the internet is lost
Stakeholder analysis	Stepping into the shoes of others – recognising individuals or groups with interest/influence over the organisation and understanding their objectives and expectations to identify the risks they pose
Audit reports	Review of past risks, particularly useful if the organisation is immature in the development of its risk framework
Past experience	Either corporate or personal – information that contributes to risk identification by having already experienced/witnessed something
Documented knowledge	Existing risk registers are a great example of this as is an internet search of risk research such as the Chartered Institute’s Risk in Focus publication
Lessons learnt	Similar to past experience although specific to learning from mistakes to prevent them from recurring, and/or identification of missed opportunities to ensure in a similar scenario the opportunities aren’t missed again

It is also important to consider future risks. This is a totally different exercise and typically done less frequently as the timeframe for the risks may be 10 year or more. The technique for doing this is known as horizon scanning and guidance on identifying and assessing these Emerging Risks can be found here.

Risk identification and internal audit

According to the International Professional Practice Framework (IPPF) ‘the mission for internal audit is to enhance and protect organisational value by providing risk-based and objective assurance, advice and insight.’

There are a number of points within the activities of internal audit where risk identification is important.

Internal audit activity

Risk identification relevance

Internal audit strategy

A strategic plan sets out the mission, purpose and values of the internal audit function, by ensuring alignment to stakeholder expectations and the needs of the organisation it means internal audit maintains relevance

To develop this internal audit must understand the organisation’s risk framework to the extent one exists, the organisation’s risks and also perform a SWOT analysis to identify and manage its own risks

A strategic plan facilitates decision-making on resource allocation, targets, performance measures and areas of focus (linked to the Quality Assurance and Improvement Programme)

Risk-based internal auditing

The Chartered Institute defines RBIA as a methodology that links internal auditing to an organisation’s overall risk management framework. It allows internal audit to provide assurance to the board that risk management processes are managing risk effectively, in relation to the risk appetite

It is about auditing the management of risk and is dependent on the organisation having a framework in place

Annual/Rolling plan

(Performance Standard 2010 and 2050)

When RBIA is possible, internal audit produce a risk-based audit plan for approval by the audit committee (or other such governing body)

The majority of internal audit resource will be directed to provide assurance that management is adequately and appropriately managing specific risks; there may also be an element of cyclical compliance assurance depending on what functions exist within the first and second line and regulatory requirements

The complexity and volatility of risk within many sectors have led to the annual internal audit plan being replaced with one that is updated more frequently, such as quarterly or rolling

If an organisation does not have a risk framework, internal audit should undertake its own risk assessment process or ideally facilitate the process for management in accordance with its legitimate roles in risk management

Audit engagement planning

(Performance Standard 2200)

Depending on the information available, internal auditors may need to identify risks to supplement those offered by management, particularly when risk maturity is evolving

Internal auditors should be continually alert to emerging or unidentified risks surfacing as the engagement progresses. Risks identified during engagement planning may need to be reprioritised

Audit findings

(Performance Standard 2320)

Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations.

It is a good discipline to present each audit finding in relation to the risk that it relates to. This draws out situations where findings relate to multiple risks which can be beneficial in prioritising data in formal audit communications

All audit engagements provide the opportunity to evaluate the effectiveness of the risk management process in the area under review

Agreeing actions

(Performance Standard 2410)

Management are invariably busy with limited free resource.

Internal auditors can demonstrate commercial acumen by prioritising risks for discussion and highlighting the consequences if identified weaknesses are not addressed

Overcoming risk identification challenges

1. Risk relates to more than one objective

Yes, they can although how they need to be addressed may differ.

Look again at the risk statement and the objective.

Is it clear and specific?

Can it be broken down further?

Rewrite a risk that is simply the opposite of the objective (failure to comply with xxx or poor understanding of xxx) or states the impact rather the risk (loss of data xxx).

2. Management are not transparent and objective

Risk identification can be stressful depending on the environment in which it is done. Internal auditors should be mindful of culture and aim to create a ‘safe space’ as far as possible.

In a blame culture, individuals may fear reprisal if they are not perceived to be managing their risks, others may be naïve to risks if new in a role and some may be risk immature expressing a preference for firefighting, dealing with the problem rather than taking the steps to prevent or prepare for it.

Internal audit should refer to their legitimate roles in risk management to educate and raise awareness of good practice alongside highlighting where cultural change would be beneficial.

3. Risk is outside of the organisations control

It is not uncommon for people to want to focus on what they can influence.

The question to ask is - if the event was to occur what would the consequences be for the organisation? Consider the coronavirus pandemic, an earthquake, new entrant into a competitive marketplace, cyberattack on the national grid…

4. Cognitive biases influence risk identification

Human nature means many of us are uncomfortable with uncertainty, and therefore risk. There are lots of psychological barriers ‘risk framing’ which we often put in place without realising which is often referred to as cognitive bias.

Think for a moment about your organisation’s risk profile.

Was pandemic on the risk register at the end of 2019?
Was the risk statement well written?
How effectively was the risk addressed (continuity/crisis/resilience planning)?

Global institutions such as the World Health Organisation and World Economic Forum has been warning of the increasing probability of a global pandemic for many years before the events of 2019/20.

Internal auditors should encourage management to recognises biases and take any lessons forward from the coronavirus pandemic to better address other high impact/low probability risks.

Bias	Risk thinking	Internal audit response
Gambler’s Fallacy	If something has already happened it’s less likely to happen again; natural disasters, cyber-attack	Validate if the risk event is statistically independent
Normalcy Bias	Things will always function/happen in the way they do now; coastal cities, driving cars	Explore rationale by repeatedly asking why (5 why’s technique) and suggest alternative viewpoints
Anchoring Fallacy	Over reliance on historical information/events to make judgements	Explore what has changed and moved point of reference to current data and forecasts
Availability Bias	Overestimate highly visible or known occurrences; plane crash vs car accident	Look at proportionality and compare the risk to others that are similar
Short-termism	Excessive focus on immediate risks/consequences at the expense of those in the future; climate change	At the end of the discussion, reframe the conversation and encourage horizon scanning
Zero-Risk Bias	Aversion to taking risks, preference to eliminate all risk	Discuss commerciality, eliminating risk is costly, also look at the consequence of missed opportunity by taking risk, if defined refer back to the organisations risk appetite
Texas Sharpshooter Fallacy	Ignore data that doesn’t fit or emphasising data that does fit with a point of view, such as a business case	Fully explore the topic, suggest looking at it from different perspectives
Information Bias	Over focus on gathering data superfluous to need	Acknowledge expert knowledge but simplify the context to focus on the nub of the issue

Conclusion

We have shown that internal auditors need to be adept at analysing and interpreting the risks identified by the organisation. They also need to be able to identify risk for themselves, take into account the influence of organisational culture and personal bias to educate where necessary.