Questions to ask about the risk assessment process - Deloitte

Questions to ask about the risk assessment process
Introduction
Changes in technology, globalization, the nature of business transactions, and the rapid evolution of
business life cycles create significant challenges for boards and senior executives as they attempt to
manage risks that have the ability to curtail an enterprise’s ability to achieve crucial objectives. Risk
drivers, as a result of both internal and external events, can quickly and significantly impact an
enterprise. To overcome these challenges, senior management and the board must change the way
they think about and approach risk management.
Although management has the primary responsibility for assessing enterprise risk, the board is
required to take an active oversight role. To assist boards with their oversight responsibility in this
area, Deloitte has developed a list of questions that directors can use to help them engage with senior
management regarding the effectiveness and efficiency of the company’s risk assessment process.
This list is not exhaustive. It is designed to highlight key topics related to the issue.
The board’s role
1. What level of involvement should the board have in the risk assessment process?
2. How should the board organize itself to fulfill its responsibility with respect to risk management
oversight?
a. At the full board level
b. Through a subcommittee
c. Through a mixture of both (a) and (b)
Identification and assessment policy
3. What is the company's policy and process for assessing and managing major risk exposures on
an integrated, enterprise wide basis?
4. Has management determined the specific risks that might arise as a consequence of the
company's business model, strategy, and operations, thereby identifying and prioritizing risks in
the context of the company's unique characteristics and operating environment?
5. What are the company’s key risks and vulnerabilities and the plans to address them?
6. What is the company's appetite for risk and how much risk has it assumed?
7. Has a risk discussion been held with both the internal and the external auditors? Did they identify
any additional risks? Are they satisfied that our strategies are satisfactorily reducing our risk
exposures?
© Deloitte & Touche LLP and affiliated entities. Questions to ask about the risk assessment process 1

Impact on operations
8. Has an analysis been performed to align each risk with the company's objectives for creating and
preserving value, including specific business processes or functional areas in which that risk may
occur?
9. How capable is the company of preparing for, responding to, and recovering from significant risk
exposures?
10. Is risk factored into compensation arrangements? Consider the following:
a. Does compensation focus on risk-based returns?
b. Does the compensation design create risks that need to be managed?
Reporting and disclosure
11. Has management assessed the potential impact of each identified risk on the integrity of financial
reporting, as well as on the company's strategy, operations, and compliance activities?
12. Does the supporting technology adequately collect, document, track, and maintain risk-related
information?
13. Does management monitor and report on changing risk conditions?
14. Were any new risks identified during the most recent quarter?
Fraud risk
15. Has a fraud risk assessment been performed to identify what types of fraud the organization is
most susceptible to, where inside or outside the organization it could occur and how it might be
perpetrated?
16. Have personnel from all levels of the organization been involved in the fraud risk assessment?
17. Has a specific focus been given to the risk of management override of internal controls?
18. Have the identified fraud risk schemes been prioritized based on their significance and likelihood
and then linked to mitigating programs?
Reputational risk
19. What are the plans, practices and processes in place with respect to reputational risk
management? Have the following elements been considered:
a) Prompt and effective communication with all stakeholders, including shareholders,
employees, customers and suppliers;
b) Strong and consistent enforcement of controls on governance, business ethics and legal
compliance;
c) Continuous monitoring of threats to reputation;
d) Ensuring ethical practice throughout the supply chains; and
e) Establishment and continual updating of a crisis management plan and establishment of
a crisis management team, empowered with specific power and authority.
© Deloitte & Touche LLP and affiliated entities. Questions to ask about the risk assessment process 2

Responsibility
20. Have formal communication and escalation protocols regarding risk response, control
performance, and changes to the organization's risk profile been established?
21. Are risks consistently prioritized, controlled, and communicated throughout the organization?
22. Has management assigned responsibility for the overall assessment of enterprise risk to a
specific group of people at the appropriate organizational level?
23. Has responsibility for monitoring, responding to, and controlling each risk, or set of risks, been
assigned to the appropriate individuals within the company?
24. Have specific risks been explicitly mapped to specific business strategies, lines of business, legal
entities, product lines, geographies, business functions, business processes, and relevant control
areas and, in turn, to the individuals responsible for these areas?
25. Do employees and third parties (such as contractors and outsourcing organizations) understand
the risks associated with their business areas and the processes they perform? Do they execute
appropriate risk response and relevant control activities?
Conclusion
The questions included above are by no means comprehensive. Governance questions and
considerations about the efficiency and effectiveness of the risk assessment process must be tailored
to the organization and its particular industry. However, the overriding message is that directors and
senior management must work together to ensure that the strategic implications of risk are
appropriately managed.
www.deloitte.ca
Deloitte, one of Canada's leading professional services firms, provides audit, tax,
consulting, and financial advisory services through more than 7,600 people in 56 offices.
Deloitte operates in Québec as Samson Bélair/Deloitte & Touche s.e.n.c.r.l. The firm is
dedicated to helping its clients and its people excel. Deloitte is the Canadian member firm
of Deloitte Touche Tohmatsu.
Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member
firms, and their respective subsidiaries and affiliates. As a Swiss Verein (association),
neither Deloitte Touche Tohmatsu nor any of its member firms have any liability for each
other's acts or omissions. Each of the member firms is a separate and independent legal
entity operating under the names "Deloitte," "Deloitte & Touche," "Deloitte Touche
Tohmatsu," or other related names. Services are provided by the member firms or their
subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein.
© Deloitte & Touche LLP and affiliated entities.