Will Auditors Fail Risk Register

I recently presented at a Zoom meeting of IIA Qatar on the topic of "Gamble Management for Success". At one point, I shared an example of a risk register I had found on the web. I explained how it was removed from the context of achieving objectives (i.due east., gamble to what?) and that periodically managing a list of risks is non sufficient. Far more is needed for effective risk management as I encounter information technology (enabling an adequate likelihood of achieving objectives[i]).

Risk register

In the Q&A session, somebody asked how the gamble register could exist improved.

There are multiple issues that need to be overcome, including:

As mentioned to a higher place, it is a static list of risks, updated occasionally. Managing a listing of what could become wrong is not the same as considering how best to achieve objectives. That requires understanding what might happen as part of every decision and that changes often – requiring more than a periodic discussion. However, there is a measure of value in the periodic review of those sources of potential damage that demand to be addressed, typically monitored, on a continuing basis. I will come back to that.
Also every bit noted above, these are risks to what and what the devil does a "loftier" rating mean? It doesn't aid us understand how an agin event would impact the objectives of the organization. That is not addressed at all, potentially leading those who review a gamble annals to note it with interest but non know how important the bug are, especially when compared to other matters needing their fourth dimension and coin.
A run a risk annals leads to managing and mitigating individual risks in silos instead of considering all the things that might happen, the big film, to determine the all-time cause of activity and how much to accept of which risks.
A listing of risks focuses but on what might become wrong, ignoring the possibilities of things going well. For example, first-class performance by the project team might lead to early completion of the project.

There are more problems, just I desire to talk about ane that seems to confound many take a chance practitioners: that risks (and opportunities) are not a betoken; there is a range of potential effects or consequences and each point in that range has its own likelihood.

Have the first "risk" in the register above: "Project purpose and need is not well-divers" and enquire the people involved in the project for their "run a risk cess".

The business concern unit manager considers the meetings she has attended with the project team. She believes that in that location is a fifteen% possibility that they have misunderstood her people's needs and that could exist quite pregnant. If that is the example, she tin encounter a combination of revenue and cost impacts that she estimates as $300,000 over the adjacent quarter, more than and for longer if the bug are not corrected promptly. If you asked her to rate the likelihood and affect, she would say that is medium likelihood and medium impact, for a medium overall severity.
The COO tells you that he has confidence in both the business and IT people working on the project and in that location is a very low probability, maybe 5%, of an issue that he says would non corporeality to more than $100,000 (the price of boosted piece of work) and would not affect revenue goals. He rates that equally depression likelihood and impact, for a low overall severity.
The projection leader exudes confidence. He is 100% confident that there will not exist whatever serious issues. He dismisses the idea of pocket-size snags as something that always happens. He also assesses likelihood, touch on, and severity equally depression.
The analyst responsible for working with the vendor to place and implement any customizations is reluctant to give her estimate. Eventually, she admits in that location is a thirty% chance that something volition go wrong and information technology would price upwardly to $1,000 per day of consultant time to make corrections. She doesn't know how that might touch on the business. When pushed, she whispers that the likelihood is high, effect is medium, and she doesn't know how to assess overall severity from her inferior position.

Are they wrong? Or, are they all correct? How can they accept different answers?

In all likelihood (pun intended) they are all right.

Like those who just run across or impact one part of an elephant, each person has a dissimilar perspective, bias, and interest. They also have different information and insight.

Blind men and elephant

A typical hazard practitioner would study either the virtually likely effect and its likelihood, ignoring the others, or the about severe and its likelihood. Some would try to come upward with an average of some sort.

That would hateful that they would choice the cess of 30% and $i,000 per twenty-four hours, or 15% and $300,000. But that would so run into a problem when more than senior direction, the COO, tries to overrule those who don't (in his opinion) see the big picture. (This is something I take encountered multiple times in my career, just that's not the topic today.)

Attempting to boil these different answers down to i 'value' for likelihood and touch is not what I consider part of effective hazard management. (I draw that as addressing what might happen every solar day so y'all can take an adequate likelihood of achieving your objectives.) It is besides questionable whether yous can calculate 'severity' either by multiplying severity and affect or using a estrus map.

The fact is that there is no single betoken.

The fact is that there may be unlike gradations of 'failure', each with its ain level of outcome and each with its own likelihood.

The take a chance register talks nigh the likelihood of the run a risk outcome when it should be talking well-nigh the likelihood of the effect.

When yous can have multiple levels of upshot, y'all have a range .

Twenty

A improve approach involves bringing all the players (and in that location would likely be more than these four) into a room and asking these and other questions to come to a shared assessment that makes business organization sense – recognizing that this is just one of several risks and opportunities to consider.

Why is this project needed? How does information technology relate to enterprise objectives? Why does it thing and how much does it matter? What is important about it?
How would a failure to ascertain the "purpose and demand" affect the business? What would happen if the projection is, for example, delayed? What most if it doesn't deliver all the required functionality?
How should we measure the consequences? Are traffic light ratings (high, medium, depression) meaningful? Should we use a dollar figure, for case in estimating boosted costs and revenue losses? Would that help us make the right business decisions? How about making the assessment based on how one or more enterprise objectives would exist affected, such as how a failure could impact the likelihood they would no longer exist achieved?
What is the worst that could happen? At present, what is its likelihood?
How probable is it that everything is perfect?
Assuming that we are using a dollar effigy to estimate potential consequences, what is the likelihood of a $300,000 bear on? (This would be modified if instead we are assessing based on the effect on objectives.)
How near a $100,000?
..and so on until a range of potential effects (or consequences) and their likelihoods are agreed upon.

At that place are tools (such as Monte Carlo) that tin calculate a value for the range of effects and their likelihood. However, while it is possible to accept a value, I would talk to the consumers of gamble information, the conclusion-makers, whether they want to see a unmarried value or empathise the full range of possible consequences.

This is simply the assessment of a unmarried source of risk and information technology is likely that other risks and opportunities might take to exist considered before agreeing (a) whether the situation is acceptable, and (b) what actions to have if it is not.

Even though I talk most risk management providing the information about what might happen (both risks and opportunities) that is required for informed and intelligent decisions , in that location is notwithstanding value in the periodic taking stock (to quote my friend, John Fraser) of those risks and opportunities that are so meaning they merit a more continuing level of attention.

But such a listing has to show why these risks and opportunities are important.

Maxim it is "high" means nothing.

It is imperative to explain how it relates to the achievement of objectives.

It is also imperative to show that there is a range of potential effects or consequences; the simply exception I would brand is where the decision is fabricated that just the likelihood of particularly severe consequences needs to be monitored.

Twenty

Equally I explain in my books, what makes the most sense (in addition to the continuous enabling of determination-making) is reporting the likelihood of achieving objectives considering all the things that have happened, are happening, and might happen.

This is actionable information that helps leaders sympathize whether they are likely to reach what they have set out to reach. They can determine whether that likelihood is acceptable and make up one's mind what actions are needed, if any.

So, where does all of this go out us?

Twenty

This is my recommendation:

Ensure there is appropriate attending to what might happen (both for good and damage) every twenty-four hour period every bit part of both strategic and tactical controlling.
Monitor on a regular basis the likelihood of achieving objectives[2], considering what has happened, what is happening, and what might happen.
Monitor on a continuing ground those risks and opportunities that merit attending because of their potential to affect the business and the achievement of its objectives, both brusk and longer-term.

Twenty

I welcome your thoughts.

[i] If you prefer the approach of Estell and Grant, consider the adequate likelihood of achieving the purpose.

[two] If objectives are designed to achieve purpose or mission over fourth dimension, this equates in a practical way to monitoring the likelihood of achieving purpose or mission.