Questions to ask about the risk assessment process - Deloitte
Questions to ask about the risk assessment process - Deloitte
Questions to ask about the risk assessment process - Deloitte
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Questions</strong> <strong>to</strong> <strong>ask</strong> <strong>about</strong> <strong>the</strong> <strong>risk</strong> <strong>assessment</strong> <strong>process</strong><br />
Introduction<br />
Changes in technology, globalization, <strong>the</strong> nature of business transactions, and <strong>the</strong> rapid evolution of<br />
business life cycles create significant challenges for boards and senior executives as <strong>the</strong>y attempt <strong>to</strong><br />
manage <strong>risk</strong>s that have <strong>the</strong> ability <strong>to</strong> curtail an enterprise’s ability <strong>to</strong> achieve crucial objectives. Risk<br />
drivers, as a result of both internal and external events, can quickly and significantly impact an<br />
enterprise. To overcome <strong>the</strong>se challenges, senior management and <strong>the</strong> board must change <strong>the</strong> way<br />
<strong>the</strong>y think <strong>about</strong> and approach <strong>risk</strong> management.<br />
Although management has <strong>the</strong> primary responsibility for assessing enterprise <strong>risk</strong>, <strong>the</strong> board is<br />
required <strong>to</strong> take an active oversight role. To assist boards with <strong>the</strong>ir oversight responsibility in this<br />
area, <strong>Deloitte</strong> has developed a list of questions that direc<strong>to</strong>rs can use <strong>to</strong> help <strong>the</strong>m engage with senior<br />
management regarding <strong>the</strong> effectiveness and efficiency of <strong>the</strong> company’s <strong>risk</strong> <strong>assessment</strong> <strong>process</strong>.<br />
This list is not exhaustive. It is designed <strong>to</strong> highlight key <strong>to</strong>pics related <strong>to</strong> <strong>the</strong> issue.<br />
The board’s role<br />
1. What level of involvement should <strong>the</strong> board have in <strong>the</strong> <strong>risk</strong> <strong>assessment</strong> <strong>process</strong>?<br />
2. How should <strong>the</strong> board organize itself <strong>to</strong> fulfill its responsibility with respect <strong>to</strong> <strong>risk</strong> management<br />
oversight?<br />
a. At <strong>the</strong> full board level<br />
b. Through a subcommittee<br />
c. Through a mixture of both (a) and (b)<br />
Identification and <strong>assessment</strong> policy<br />
3. What is <strong>the</strong> company's policy and <strong>process</strong> for assessing and managing major <strong>risk</strong> exposures on<br />
an integrated, enterprise wide basis?<br />
4. Has management determined <strong>the</strong> specific <strong>risk</strong>s that might arise as a consequence of <strong>the</strong><br />
company's business model, strategy, and operations, <strong>the</strong>reby identifying and prioritizing <strong>risk</strong>s in<br />
<strong>the</strong> context of <strong>the</strong> company's unique characteristics and operating environment?<br />
5. What are <strong>the</strong> company’s key <strong>risk</strong>s and vulnerabilities and <strong>the</strong> plans <strong>to</strong> address <strong>the</strong>m?<br />
6. What is <strong>the</strong> company's appetite for <strong>risk</strong> and how much <strong>risk</strong> has it assumed?<br />
7. Has a <strong>risk</strong> discussion been held with both <strong>the</strong> internal and <strong>the</strong> external audi<strong>to</strong>rs? Did <strong>the</strong>y identify<br />
any additional <strong>risk</strong>s? Are <strong>the</strong>y satisfied that our strategies are satisfac<strong>to</strong>rily reducing our <strong>risk</strong><br />
exposures?<br />
© <strong>Deloitte</strong> & Touche LLP and affiliated entities. <strong>Questions</strong> <strong>to</strong> <strong>ask</strong> <strong>about</strong> <strong>the</strong> <strong>risk</strong> <strong>assessment</strong> <strong>process</strong> 1
Impact on operations<br />
8. Has an analysis been performed <strong>to</strong> align each <strong>risk</strong> with <strong>the</strong> company's objectives for creating and<br />
preserving value, including specific business <strong>process</strong>es or functional areas in which that <strong>risk</strong> may<br />
occur?<br />
9. How capable is <strong>the</strong> company of preparing for, responding <strong>to</strong>, and recovering from significant <strong>risk</strong><br />
exposures?<br />
10. Is <strong>risk</strong> fac<strong>to</strong>red in<strong>to</strong> compensation arrangements? Consider <strong>the</strong> following:<br />
a. Does compensation focus on <strong>risk</strong>-based returns?<br />
b. Does <strong>the</strong> compensation design create <strong>risk</strong>s that need <strong>to</strong> be managed?<br />
Reporting and disclosure<br />
11. Has management assessed <strong>the</strong> potential impact of each identified <strong>risk</strong> on <strong>the</strong> integrity of financial<br />
reporting, as well as on <strong>the</strong> company's strategy, operations, and compliance activities?<br />
12. Does <strong>the</strong> supporting technology adequately collect, document, track, and maintain <strong>risk</strong>-related<br />
information?<br />
13. Does management moni<strong>to</strong>r and report on changing <strong>risk</strong> conditions?<br />
14. Were any new <strong>risk</strong>s identified during <strong>the</strong> most recent quarter?<br />
Fraud <strong>risk</strong><br />
15. Has a fraud <strong>risk</strong> <strong>assessment</strong> been performed <strong>to</strong> identify what types of fraud <strong>the</strong> organization is<br />
most susceptible <strong>to</strong>, where inside or outside <strong>the</strong> organization it could occur and how it might be<br />
perpetrated?<br />
16. Have personnel from all levels of <strong>the</strong> organization been involved in <strong>the</strong> fraud <strong>risk</strong> <strong>assessment</strong>?<br />
17. Has a specific focus been given <strong>to</strong> <strong>the</strong> <strong>risk</strong> of management override of internal controls?<br />
18. Have <strong>the</strong> identified fraud <strong>risk</strong> schemes been prioritized based on <strong>the</strong>ir significance and likelihood<br />
and <strong>the</strong>n linked <strong>to</strong> mitigating programs?<br />
Reputational <strong>risk</strong><br />
19. What are <strong>the</strong> plans, practices and <strong>process</strong>es in place with respect <strong>to</strong> reputational <strong>risk</strong><br />
management? Have <strong>the</strong> following elements been considered:<br />
a) Prompt and effective communication with all stakeholders, including shareholders,<br />
employees, cus<strong>to</strong>mers and suppliers;<br />
b) Strong and consistent enforcement of controls on governance, business ethics and legal<br />
compliance;<br />
c) Continuous moni<strong>to</strong>ring of threats <strong>to</strong> reputation;<br />
d) Ensuring ethical practice throughout <strong>the</strong> supply chains; and<br />
e) Establishment and continual updating of a crisis management plan and establishment of<br />
a crisis management team, empowered with specific power and authority.<br />
© <strong>Deloitte</strong> & Touche LLP and affiliated entities. <strong>Questions</strong> <strong>to</strong> <strong>ask</strong> <strong>about</strong> <strong>the</strong> <strong>risk</strong> <strong>assessment</strong> <strong>process</strong> 2
Responsibility<br />
20. Have formal communication and escalation pro<strong>to</strong>cols regarding <strong>risk</strong> response, control<br />
performance, and changes <strong>to</strong> <strong>the</strong> organization's <strong>risk</strong> profile been established?<br />
21. Are <strong>risk</strong>s consistently prioritized, controlled, and communicated throughout <strong>the</strong> organization?<br />
22. Has management assigned responsibility for <strong>the</strong> overall <strong>assessment</strong> of enterprise <strong>risk</strong> <strong>to</strong> a<br />
specific group of people at <strong>the</strong> appropriate organizational level?<br />
23. Has responsibility for moni<strong>to</strong>ring, responding <strong>to</strong>, and controlling each <strong>risk</strong>, or set of <strong>risk</strong>s, been<br />
assigned <strong>to</strong> <strong>the</strong> appropriate individuals within <strong>the</strong> company?<br />
24. Have specific <strong>risk</strong>s been explicitly mapped <strong>to</strong> specific business strategies, lines of business, legal<br />
entities, product lines, geographies, business functions, business <strong>process</strong>es, and relevant control<br />
areas and, in turn, <strong>to</strong> <strong>the</strong> individuals responsible for <strong>the</strong>se areas?<br />
25. Do employees and third parties (such as contrac<strong>to</strong>rs and outsourcing organizations) understand<br />
<strong>the</strong> <strong>risk</strong>s associated with <strong>the</strong>ir business areas and <strong>the</strong> <strong>process</strong>es <strong>the</strong>y perform? Do <strong>the</strong>y execute<br />
appropriate <strong>risk</strong> response and relevant control activities?<br />
Conclusion<br />
The questions included above are by no means comprehensive. Governance questions and<br />
considerations <strong>about</strong> <strong>the</strong> efficiency and effectiveness of <strong>the</strong> <strong>risk</strong> <strong>assessment</strong> <strong>process</strong> must be tailored<br />
<strong>to</strong> <strong>the</strong> organization and its particular industry. However, <strong>the</strong> overriding message is that direc<strong>to</strong>rs and<br />
senior management must work <strong>to</strong>ge<strong>the</strong>r <strong>to</strong> ensure that <strong>the</strong> strategic implications of <strong>risk</strong> are<br />
appropriately managed.<br />
www.deloitte.ca<br />
<strong>Deloitte</strong>, one of Canada's leading professional services firms, provides audit, tax,<br />
consulting, and financial advisory services through more than 7,600 people in 56 offices.<br />
<strong>Deloitte</strong> operates in Québec as Samson Bélair/<strong>Deloitte</strong> & Touche s.e.n.c.r.l. The firm is<br />
dedicated <strong>to</strong> helping its clients and its people excel. <strong>Deloitte</strong> is <strong>the</strong> Canadian member firm<br />
of <strong>Deloitte</strong> Touche Tohmatsu.<br />
<strong>Deloitte</strong> refers <strong>to</strong> one or more of <strong>Deloitte</strong> Touche Tohmatsu, a Swiss Verein, its member<br />
firms, and <strong>the</strong>ir respective subsidiaries and affiliates. As a Swiss Verein (association),<br />
nei<strong>the</strong>r <strong>Deloitte</strong> Touche Tohmatsu nor any of its member firms have any liability for each<br />
o<strong>the</strong>r's acts or omissions. Each of <strong>the</strong> member firms is a separate and independent legal<br />
entity operating under <strong>the</strong> names "<strong>Deloitte</strong>," "<strong>Deloitte</strong> & Touche," "<strong>Deloitte</strong> Touche<br />
Tohmatsu," or o<strong>the</strong>r related names. Services are provided by <strong>the</strong> member firms or <strong>the</strong>ir<br />
subsidiaries or affiliates and not by <strong>the</strong> <strong>Deloitte</strong> Touche Tohmatsu Verein.<br />
© <strong>Deloitte</strong> & Touche LLP and affiliated entities.