Don’t Confuse a Control Risk Assessment with an Enterprise Risk Assessment
Derek Yankoff, Chief Strategy Officer
In managing the internal audit function, the institution’s Audit Committee is responsible for commissioning a Control (or “Auditor’s”) Risk Assessment, developing audit plans and the overseeing the execution of the audit program. A Control Risk Assessment documents the internal auditor’s or outsourced audit service provider’s understanding of the institution’s significant business activities and their associated risks. These assessments typically consider the risks inherent in a given business line, the mitigating control processes and the resulting aggregate risk exposure to the institution. The assessments should be updated annually by the auditors to reflect changes to the system of internal control or work processes and to incorporate new lines of business.
Conversely, an Enterprise Risk Assessment can be described as a risk-based approach to managing an enterprise, integrating concepts of internal control, the Sarbanes–Oxley Act and strategic planning (remember: Strategy Drives Risk). ERM addresses the needs of various stakeholders (i.e., risk owners, risk managers, C-Suite executives, Board members) who need to understand the broad spectrum of risks facing the institution to ensure they are appropriately managed. Put another way, enterprise risk management is accomplished in large part by performing an enterprise risk assessment.
With that groundwork paid, let’s take a look at the Control (or “Auditor’s”) Risk Assessment first. The Control Risk Assessment methodology performed by the auditor identifies all auditable areas, provides a narrative basis for the auditor’s (not management’s) determination of relative risks, and, is consistent from one auditable area to another. The Control Risk Assessment quantifies Credit Risk, Interest Rate Risk, Liquidity Risk, Operational Risk, Compliance Risk, Strategic Risk, Reputational Risk, BSA Risk and Fair Lending Risk (if applicable). Some specific functions and activities may be embedded within larger categories; for example, some information technology risks are addressed in the Operational Risk area while certain other IT risks can be found in the Compliance Risk area. The auditor’s Control Risk Assessment considers the potential that deficiencies in the system of internal control would expose the institution to potential loss and provides the auditor with data sufficient to develop the scope, coverage, timing, frequency and budget for the audits planned for the year.
When appropriate, the auditor should consider of the introduction of new products and departmental changes which factor into the audit plan. It should be noted that ratings of particular business activities or corporate functions may change with time and the auditor should revise the method for assessing risk accordingly. A properly drafted internal audit plan is based on the auditor’s Control Risk Assessment and typically includes an evaluation of key internal controls within each significant business activity. Ideally, the auditor’s only role should be to independently and objectively evaluate and report on the effectiveness of an institution’s risk management, control and governance processes for the purpose of audit plan development. The assessment should be periodically updated to reflect changes in the system of internal control, work processes, business activities or the business environment.
Conversely, the institution’s Enterprise Risk Assessment provides management with actionable outcomes that facilitate risk mitigation, controls development and process remediation and includes the methods and processes used to seize opportunities related to the achievement of institutional strategic objectives by assessing them in terms of likelihood and magnitude of impact, determining a response strategy and monitoring progress. By identifying and proactively addressing risks and opportunities, the institution protects and creates value for its shareholders, employees and customers.
Enterprise risk assessment frameworks describe an approach for identifying, analyzing, responding to and monitoring risks and opportunities within the internal and external environment facing the institution. Management selects a risk response strategy for specific risks identified and analyzed, which may include:
• Avoidance: exiting the activities giving rise to risk
• Harnessing: taking action to reduce the likelihood or impact related to the risk
• Alternative Actions: deciding and considering other feasible steps to minimize risks
• Transferring: or sharing a portion of the risk
• Accept: no action is taken due to a cost/benefit decision
Monitoring is typically performed by management as part of its internal control activities, such as review of analytical reports or conducting management committee meetings with relevant experts to understand how the risk response strategy is working and whether the objectives are being achieved.
So, you can see that each of these two risk assessment approaches have distinct objectives, methodologies and outcomes and therefore, should not be combined or mistaken for one another. Moreover, your regulatory examiners expect to see both approaches in operation at your shop. The bad news is that employing both approaches can be costly and time consuming. The good news is that there is a simple, cost-effective way to get them both done and achieve remarkable results that will impress your examiners and Board of Directors and keep your bank compliant with risk management mandates set forth by the OCC, FDIC and FRB.