FTC - Audit Risk Measurement Maturity
Causal Capital is about to open up a new series of information sharing articles that we are coining "From The Class or FTC". In this FTC series, we take a look at various snippets of learning that are delivered across masterclasses we have run and discuss the key takeaways from each training session.
One of the positive outcomes of running a Risk Based Audit over a conventional audit, is the tendency for auditors to mature the way in which they measure risk. There are three common ways in which internal audit generally assesses exposure on an audit and these methods have been described on the flipchart below.
Risk Based Audit Measurement Discussion | Causal Capital Presentation
High, Medium and Low
It would seem obvious to most people; certainly the board and committee members auditors report to will be aware of the fact that risk is not just risk, it's far more than that. Some risks are going to be serious threats that keep the CEO awake at night while others are less concerning or just niggling annoyances and auditors need to be able to delineate the differences between these two polar ends of the risk spectrum.
Using a very primitive scale you have high risk, low risk and why not insert something in between these two places for medium risk or even better, use the traffic light system of Red~High, Amber~Medium and Green~Low.
Keep it simple, yes and let's not complicate things unnecessarily but painting the risk world in such a monochromatic manner without the shades of grey between these three positions of measurement has serious limitations. In short, it prevents auditors from 'counting risk' and what can't be counted can't really be compared or benchmarked. Let me explain with an example:
High Risk + Low Risk ≠ Medium Risk ... although it should if one was to count it.
If you were to invest a dollar into high risk and a dollar into low risk you should end up somewhere in the middle, but this is mathematically incoherent and brings us to a place where what is high risk for one stakeholder may not be for another. High, Medium, Low is a dysfunctional way to measure risk although it might end up being a tidy way of reporting threats and we will talk more about this later on.
Risk = Likelihood x Impact
Many auditors quantify risk by parameterising two aspects of uncertainty; the likelihood of something happening and the impact experienced if that event does actually occur. On the surface this appears to be a very tidy way to express uncertainty but to bring these two parameters of risk into a single measure of exposure, auditors tend to fall into a trap. Stakeholders need to be able to compare risks side by side so that they can prioritise an appropriate response for them and auditors have a tendency to do nothing more than multiple the two numbers (likelihood and magnitude) together to generate that single 'financial measure' of risk.
Using the arithmetic of Risk=L x I is one of the most common measurement disasters some auditors create for themselves and it's a big fail for one single reason. If the anticipated concern does eventuallise, the full impact experienced is not reduced by the likelihood of it. Again these things are best explained with an example:
Through assessment, there is a 0.1% chance of a substantial earthquake this year and auditors have quantified the loss potential to be $1,000,000. Great so under our LxI technique risk becomes the product of these two assessed numbers or 0.001 x $1,000,000=$1000. This is an utterly ridiculous proposition because the exposure was assessed at 1 million not $1000 !!!
Coherent Measures of Risk (CMR)
A more mature way to measure risk would be where the risk quantification is statistically coherent and in this masterclass we step through the various activities required to develop a parametric distribution of potential outcomes from a risk assessment.
The benefits for measuring risk coherently are not obvious to auditors at first, and there are many advantages that can be listed, but for time sake I will describe a handful of winning factors for coherent risk measurement:
Allow multiple risks to be aggregated into a single report and then compared
Support the measurement of risk inline with stakeholder's appetites across different levels of risk
Protect the auditor from their own moral hazard or malpractice of assessing risk with huge bias and error
Coherent measures of risk allow different risk measurement techniques to be integrated
I have reviewed quite a few Risk Based Audit training programs on the market and so many of them just don't hit the target in my opinion. As an auditor, if you are walk away from the training without a demonstration on Coherent Risk Measurement, you need to be concerned as to what else has been missing from your course.
In 2017, Causal Capital will be releasing a new London School of Business and Finance masterclass titled Quantitative Audit Testing. Many auditors are already showing an interest in this exciting advanced audit workshop but, one prerequisite for attending QAT will be an understanding of Coherent Measures of Risk.