Whitehelm Risk Assessment

Risk assessment by corporations has been refocused to include risks associated with the implementation of complex information technology, the use of increasingly sophisticated financial instruments and multi-jurisdictional regulations for environmental, health and safety standards. For many corporations, operational processes have undergone profound change as the traditional layered approach to control has been stripped away and re-engineered processes implemented.

What does all this mean for internal audit? Many corporations are pausing to re-evaluate the traditional role and responsibility of internal audit within the corporation. The role of internal audit as a "corporate financial accounting cop" is vanishing.

In today's environment, internal auditors must be capable of monitoring the extent to which internal controls are appropriately aligned with a diverse and increasingly complex arena of corporate risks. Corporations are acknowledging that an effective internal audit group can help the corporation achieve its business objectives by ensuring that risk and internal controls have been properly aligned, and then monitoring the implementation of those internal controls.

How important is internal audit to the corporation? This question is being asked both by directors and senior executives. For many corporations the response is: "Important but not core."

As with many other important but non-core activities, corporations are increasingly turning to outsourcing as the optimum means to achieve a multidisciplinary team of internal auditors to assist in monitoring the complex range of corporate risks and controls.

Outsourcing provides a cost-effective means to ensure that skilled expertise is available to monitor the risk and controls for areas such as enterprise-wide systems, firewall installations, data security, treasury, supply chain activities, environment, health and safety. Many corporations are also discovering that outsourcing is not an "all or none" option. Outsourcing can range from the complete outsource of the entire internal audit department to strategic outsourcing of certain parts of the internal audit plan, like information technology security control assessment.

A key issue to consider when evaluating full or strategic outsourcing alternatives is the availability and mobility of existing skilled employee resources to meet the corporation's internal audit needs. Other important considerations are the average retention period of internal audit staff and the cost of maintaining an in-house internal audit group including salaries and benefits, overhead, training and technology tools.

For multinationals, the ability and effectiveness of the internal audit group to service multi-jurisdictional subsidiaries and divisions is frequently evaluated.

The existing internal audit group might also provide a training ground for future managers and executives. The willingness and ability of an internal audit outsource provider to support a corporate training program by including corporate employees on various internal audit assignments should be assessed.

Strategic outsourcing is an alternative where the existing internal audit group provides practical, value-added business recommendations but lacks the necessary skill to evaluate internal controls supporting specific complex business activities.

The final decision to enter into either a full or strategic internal audit outsourcing arrangement should be driven by the practical business needs of the corporation. However, in reaching either decision, a corporation cannot delegate responsibility for implementing and maintaining an effective internal control environment. That responsibility will always reside with the board of directors and management.

The internal audit outsourcer's responsibility is to assist the corporation to achieve its business objectives by ensuring that risk and internal controls have been properly aligned, and then to monitor the implementation of those internal controls.

How can you enhance shareholder value through effective enterprise-wide risk management strategies?
How do you determine which risks to take, which to avoid, which to manage, and which to accept?
How do you decide where to allocate resources among a variety of options with different risks and potential rewards?
How do you develop and implement effective enterprise-wide risk management processes throughout an organisation?

Objectives and Risk Assessment

In order to answer these critical questions, our Strategic Risk Services (SRS) specialists work closely with senior management to clarify and articulate your organisation's overall business objectives and the strategies identified to achieve those objectives. We then work with you and designated business or functional units, through a series of one-on-one meetings and facilitated group sessions, to identify and assess the key risks that can jeopardise achievement of your goals, evaluate the likelihood of occurrence and potential impact, assess the strategies in place to mitigate those exposures, and identify and prioritise additional or alternative risk mitigation strategies needed. Our objectives-based approach to risk assessment and management ensures that major focus is directed at protecting against the risks that would have the greatest impact on realising your objectives. An improved understanding of your organisation's objectives and risk profile provides the foundation for focusing your entire organisation on the critical role risk management plays in the achievement of the organisation's goals.

Enterprise-Wide Risk Management

Traditional one-point-in-time risk assessment models have been made obsolete by today's rapid pace of change. Clients are increasingly concerned about their ability to effectively and efficiently manage the risks associated with these swift changes. In order to address these concerns, today's best practices in risk management focus on proactive and continuous enterprise-wide risk management. Our specialists incorporate our proven Objective Risk Control Alignment methodology and partner with you to design, implement and embed a comprehensive enterprise-wide risk management architecture within the organisation. Our state-of-the-art methodology brings this process to life by providing real time, continuous risk assessment and management that is integrated into the strategic plan and day-to-day operations of your organisation. This process results in a culture shift that empowers each business and functional unit to take responsibility and be accountable for risk management.

Harness the Power of Risk

Risk is powerful. It can drag you down or, if properly managed, it can enable you to realise your strategic objectives. The perspective on risk is changing. Traditionally, risk management focused solely on protecting the organisation from hazards or uncertainties. Today, risk is increasingly seen on a continuum that incorporates the downside view of risk and progresses beyond to include the opportunity-driven, calculated risks taken as part of a proactive strategic plan to capitalise on opportunities in order to realise desired rewards. Taking too little risk and over managing or avoiding risk altogether can be as much of a management failure as taking too much unmanaged risk. Our specialists build processes within the organisation to help you determine which risks to take, which risks to avoid, which risks to manage, and how to manage them. We help you harness the power of risk to enhance shareholder value.

Some of the benefits which can be realised include:

Enhanced shareholder value
Improved reputation
Increased ability to achieve strategic objectives
Improved decision-making and smarter allocation of resources
Reduced likelihood of control breakdowns and crises
Clear alignment between objectives, risks, and risk management strategies
Continuous, real-time risk assessment, management, measurement, and monitoring
Risk management responsibility driven to each business unit and individual
Improved accuracy of management reports.

Some Methodologies For Risk Assessment

Failure Mode and Effects Analysis: Examines each potential failure condition in a system to determine the severity of the impact to the system.
HAZOP (Hazard and Operability): Examines process and engineering intentions to assess the potential hazards that can arise from deviations from design specifications.
Historical Analysis: Examines frequency of past incidents to determine the probability of a condition recurring.
Human-Error Analysis: Examines the possible impact of human intervention and error on a system.
Probabilistic Risk Assessment: Examines the probability that a combination of events will lead to a particular condition.
Tree Analysis: A family of analysis methods, such as event tree, attack tree, management-oversight tree and fault tree, that focuses on processes or a sequence of events that may lead to a particular condition.

Services

Enterprise-Wide Risk Management
Framework Design and Implementation
Enterprise-Wide Risk Management Monitoring
Office of Chief Risk Officer Development
Risk Management Best Practices Benchmarking.

When to Use Risk Analysis

Risk analysis is most useful when applied during the system design phase of an application or system so that potential losses may be identified and security requirements defined right from the start. Experience has shown that implementing security controls during the design phase is far less costly than retrofitting such controls after a computer system is operational. Nonetheless, for those systems already in operation, risk analysis can identify vulnerabilities for which corrective action can be taken. Risk analysis conducted during any phase of a computer system life cycle should use an approach for reducing the loss of personnel efficacy, information, equipment, and processing capability.

Please call 0870 421 4023 to find out more about our risk assessment services, or e-mail risk.team@Whitehelm.com requesting more information.

[Home] [Security] [Services] [Products] [What Sets Us Apart] [Contact] [Site Map]