Identifying and analyzing risk is an ongoing iterative process conducted to enhance the entity’s ability to achieve its objectives. Although an entity might not explicitly state all objectives, this does not mean that an implied object- ive is without either internal or external risk. Regardless of whether an ob- jective is stated or implied, an entity’s risk assessment process should con- sider risks that may occur. This process is supported by a variety of activities, techniques, and mechanisms, each relevant to overall risk assessment. Man- agement develops and implements controls relating to the conduct of such activities.
Management considers risks at all levels of the entity and takes the neces- sary actions to respond. An entity’s assessment considers factors that influ- ence the severity, velocity, and persistence of the risk, likelihood of the loss of assets, and the related impact on operations, reporting, and compliance activities. The entity also needs to understand its tolerance for accepting risks and its ability to operate within those risk levels.
Risk identification must be comprehensive. It should consider all significant interactions—of goods, services, and information—internal to an entity and between the entity and its relevant business partners and outsourced service providers. These entities can include potential and existing suppliers, in- vestors, creditors, shareholders, employees, customers, buyers, intermediar- ies, and competitors, as well as public bodies and news media. In addition, the organization should consider risks emanating from external factors such as new or amended laws and regulations, environmental issues, or potential natural events.
Further, risks related primarily to one category of objectives may impact ob- jectives in other categories. For instance, a risk relating primarily to an oper- ations objective for the timely production and delivery of a company’s product may also impact financial reporting if the company’s sales contract contains penalties for late shipments. In those instances where an organiza- tion is considering risks relating primarily to one category of objectives, for instance financial reporting, the risk assessment process may need to con- sider objectives in other categories that can also impact financial report- ing objectives.
Risk identification is an iterative process and is often integrated with the planning process. However, it may be useful to take a fresh look at the iden- tified risks, and not merely default to making an inventory of risks as noted in the previous review. The focus is on identifying all risks that potentially im- pact the achievement of objectives as well as on emerging risks—those risks that are increasingly relevant and important to the entity and that may be addressed by scanning and analyzing relevant risk factors, as remote as they may seem.
Return to Table of Contents Considers Entity and Subunits
Risk identification considers risks at various levels of the organizational struc- ture, including the overall entity and its subunits, and processes such as sales, human resources, marketing, production, and purchasing. Entity-level risk identification is typically conducted at a relatively high level and, gener- ally, does not include assessing transaction-level risks. Conversely, the iden- tification of risks at a process level is inherently more detailed and would include transaction-level risks.
In addition, risk assessment considers risks originating in outsourced service providers, key suppliers, and channel partners that directly or indirectly im- pact the entity’s achievement of objectives.
Internal and External Factors
Management considers risks in relation to internal and external factors. Risk is dynamic; therefore, to determine the frequency of its risk assessment pro- cess, management generally considers the rate of change in risks to the achievement of objectives, other operational priorities, and cost. Typically, the process is a combination of ongoing and periodic risk assessments. If the rate of change relating to an objective or internal and external factors in- creases, it is useful to accelerate the frequency of assessing the related risks or assess the risk on a real-time basis.
Entity-Level Risks
Risks at the entity level can arise from external or internal factors. External factors may include:
•
Economic—Changes that can impact financing, capital availability, and bar-riers to competitive entry
•
Natural Environment—Natural or human-caused catastrophes or ongoingclimate change that can lead to changes in operations, reduced availability of raw materials, or loss of information systems, highlighting the need for contingency planning
•
Regulatory—A new financial reporting standard that can require different oradditional reporting by a legal entity, management operating model, or line of business; a new anti-trust law or regulation that can force changes in operating or reporting policies and strategies
•
Foreign Operations—A change in the government of a foreign country of op-eration that can result in new laws and regulations or altered tax regimes
•
Social—Changing customer needs or expectations that can affect productdevelopment, production process, customer service, pricing, or warranties
•
Technological—Developments that can affect the availability and use ofdata, infrastructure costs, and the demand for technology-based services Internal factors include:
•
Infrastructure—Decisions on the use of capital resources that can affect op-erations and the ongoing availability of infrastructure
•
Management Structure—A change in management responsibilities that canaffect the way certain controls are effected
•
Personnel—The quality of personnel hired and methods of training and mo-tivation that can influence the level of control consciousness within the 142/348
entity; expiration of labor agreements that can affect the availability of staff
•
Access to Assets—The nature of the entity’s activities and employee access-ibility to assets that can contribute to misappropriation of resources
•
Technology—A disruption in information systems processing that can ad-versely affect the entity’s operations
Identifying external and internal factors that contribute to risk at an entity level is critical to comprehensive risk assessment. Once the major factors have been identified, management can then consider their relevance and sig- nificance and, where possible, link these factors to specific risks and activities.
For example, an importer of apparel and footwear established an entity-level objective of becoming an industry leader in high-quality fashion merchandise. The entity considered general risks such as the impact of deterioration in economic conditions, market acceptance of products, new competitors in the entity’s market, and changes in environmental or regulatory laws and regula- tions. In addition, the entity considered risks at the entity level such as:
•
Supply sources, including the quality, quantity, and stability of foreignmanufacturers
•
Exposures to fluctuations in the value of foreign currencies•
Timeliness of receiving shipments and delays in customs inspections•
Availability and reliability of shipping companies and costs•
Likelihood of international hostilities and trade embargoes•
Pressures from customers and investors to boycott doing business in a for- eign country whose government adopts unacceptable policies•
Expectations from consumers or local stakeholders toward use of natur- al resourcesReturn to Table of Contents Transaction-Level Risks
Risks are identified at the transaction level within subsidiaries, divisions, op- erating units, or functions, including business processes such as sales, pur- chasing, production, and marketing. Dealing with risks at this level helps fo- cus on the achievement of objectives and/or sub-objectives that have cas- caded down from the entity-level objectives. Successfully assessing risk at the transaction level also contributes to maintaining acceptable levels at the entity level.
In most instances, many different risks can be identified. In a procurement process, for example, an entity may have an objective related to maintaining adequate raw materials inventory. The risks to not achieving this objective might include suppliers providing materials that do not meet specifications or are not delivered in needed quantities, on time, or at acceptable prices. These risks might affect entity-level objectives pertaining to the way specific- ations for purchased goods are communicated to vendors, the use and appro- priateness of production forecasts, identification of alternative supply sources, and negotiation practices.
Potential causes of failing to achieve an objective range from the obvious to the obscure. Certainly, readily apparent risks that significantly affect the en- tity should be identified. To avoid overlooking relevant risks, this identifica- tion is best made apart from assessing the likelihood of the risk occurring. There are, however, practical limitations to the identification process, and of- ten it is difficult to determine where to draw the line. For example, it may not make sense to conduct a detailed assessment of the risk of a meteor falling from space onto an entity’s production facility, while it may be reasonable for a facility located near an airport to consider in some detail the risk of an air- plane crash.