Risk assessment per the Green Book is a complicated, multiple-step process. First, you have to break the universe into small enough pieces to be able to confidently assess risk on each piece. (Remember, if your subject matter is too broad, you will have a hard time moving on to later steps.) Next, you have to imagine the bad things that could happen with each piece and rank those bad things for magnitude and likelihood. After that, you have to decide what to do with the risks you have identified.
In earlier chapters we broke our subject matter into pieces, imagined the risks, and rated the risks for magnitude and likelihood. Now, in this chapter, I’d like to go back and add a little more useful information to help ensure that our thinking about the risks was thorough. We will also decide what to do with the risks that we have uncovered.
Was our thinking thorough?
Over time I have compiled a list of risks. Notice that I said that “I” compiled the list. It is not grounded in any standard because the standards are pretty vague about this sort of thing. In other words, don’t look for these in the GAO’s Green Book because they aren’t there.
• Loss of Money
Why have this list of risks? Because we need a benchmark against which to measure the risks we identified to make sure that our thinking was robust. But before we do that, let’s take a closer look at the components of the list.
More on generic risk
Thankfully, nothing I do in my job can cause death. I mean, if someone doesn’t get their CPE, they aren’t going to keel over dead! As I talk to my kids about future careers, I remind them that doctors hold people’s lives in their hands; and therefore, they have to go through an enormous amount of training and rigorous vetting in order to earn the right to practice medicine.
There are plenty of government activities that could involve death and injury. States take care of foster children, cities and counties run and regulate hospitals, and the federal government provides health care for veterans and the elderly. Citizens can die if a bridge collapses because of decay and neglect or if a shady restaurant goes unregulated and serves contaminated food.
But with most government activities the worst risk they can generate is shame and loss of money. Scandals, waste and abuse are, unfortunately, very common in government.
More on fraud risk
In the last two chapters, we focused on the Green Book’s directives regarding fraud risk. The original COSO model and the original Green Book did not mention the Certified Fraud Examiner’s Fraud Tree. The GAO’s Green Book mentions the three main branches of this tree in section 8.02:
8.02 Management considers the types of fraud that can occur within the entity to provide a basis for identifying fraud risks. Types of fraud are as follows:
• Fraudulent financial reporting – intentional misstatements or omissions of amounts or disclosures in financial statements to deceive financial statement users. This could include intentional alteration of accounting records, misrepresentation of transactions, or intentional misapplication of accounting principles
• Misappropriation of assets – theft of an entity’s assets. This could include theft of property, embezzlement of receipts, or fraudulent payments
• Corruption – bribery and other illegal acts
A flip risk is when an entity experiences results contrary to its mission and goals. For instance, a school cafeteria has a program to feed low income children breakfast and lunch, but instead, they use the money to feed wealthy children. The cafeteria has experienced flip risk.
For our case study the purpose of issuing credit cards to all the staff is to make purchasing small items easier. But sometimes in government, we can make what should be easy extremely hard and burdensome. I am friends with a professor who says he dreads using his university purchasing card because it involves twice as much paper work and justification than if he used the university’s purchase order system. But occasionally, he absolutely must use it because he can’t wait for the purchasing process system to make a purchase. Is the extra hassle intentional on the part of the university to discourage use of the card, or have they lost a sense of what they are ultimately trying to achieve (convenience and speed) by issuing purchasing cards?
Back to the case study
When we last visited our case study, we ended up with this result:
Now I want to go back and ask whether we thought of everything. Did we think of all the risks? Yes, I could have covered this a few chapters back… but I wanted to cover fraud risk and magnitude and likelihood first.
So let’s remove the magnitude and likelihood columns and instead name each “what could go wrong?” as either generic, fraud, or flip risk and make sure that we covered all of our bases.
We considered all three types of risk in our analysis – so I am pretty satisfied. But I could add flip risk to the use of the card and fraud risk to the “getting stuff” phase. Let me go ahead and do that and rank our two new ideas for magnitude and likelihood while I am at it.
I am sure you can think of more risks in these three categories for these three steps of the process, but we have enough to work with for purposes of this book. Again, the reason we apply the three types of risk to our ideas is to help us think of other relevant risks.
Here is an applicable quote from the Green Book:
7.06 Management estimates the significance of the identified risks to assess their effect on achieving the defined objectives at both the entity and transaction levels. Management estimates the significance of a risk by considering the magnitude of impact, likelihood of occurrence, and nature of the risk. Magnitude of impact refers to the likely magnitude of deficiency that could result from the risk and is affected by factors such as the size, pace, and duration of the risk’s impact. Likelihood of occurrence refers to the level of possibility that a risk will occur. The nature of the risk involves factors such as the degree of subjectivity involved with the risk and whether the risk arises from fraud or from complex or unusual transactions. The oversight body may oversee management’s estimates of significance so that risk tolerances have been properly defined.
Use the top of the cube if you prefer
If my approach and my list of risks seems a little to rogue to you and you prefer to tie everything you do to the standards, you could use the categories at the top of the COSO cube as your benchmark.
You could ask, did I consider the risk as it affects operations, reporting, and compliance. You could also use the evolved version of the COSO – the COSO ERM Model – and add strategy as part of your analysis.
Now that we have identified several high magnitude and high likelihood risks that deserve our attention, it is time to choose what we are going to do about them.
Per the Green Book, management has four choices for each risk they care about. They can accept the risk, avoid the risk, reduce the risk, or share the risk.
7.08 Management designs responses to the analyzed risks so that risks are within the defined risk tolerance for the defined objective. Management designs overall risk responses for the analyzed risks based on the significance of the risk and defined risk tolerance. These risk responses may include the following:
• Acceptance – No action is taken to respond to the risk based on the insignificance of the risk.
• Avoidance – Action is taken to stop the operational process or the part of the operational process causing the risk.
• Reduction – Action is taken to reduce the likelihood or magnitude of the risk.
• Sharing – Action is taken to transfer or share risks across the entity or with external parties, such as insuring against losses.
Why would an organization accept a risk? Well, maybe mitigating the risk would be too costly. Maybe they simply don’t have the resources or the desire to change. I watched the Dustin Hoffman “dramedy” Little Big Man again recently. One of the characters was a charlatan who traveled the old west selling snake oil. Along the way he had been tarred and feathered, brutalized, and maimed by townspeople who had become violently ill after drinking his snake oil. Early in the movie the charlatan was missing his hand. By the end of the movie he also had a peg leg and only one eye! Dustin Hoffman’s character told the snake oil salesman he’d better choose another profession because his angry customers were whittling him down to a nub. And the snake oil salesman replied, “Every business has a degree of risk…” and hobbled off.
Or maybe after doing a risk assessment, the organization looks at the bad things that could happen and decides not to engage in that activity any longer. In our case study the school district could decide to cancel everyone’s purchasing cards to avoid the risks they pose. In other words, they choose to avoid the risk.
We are going to pluck a few of the risks off of our matrix and reduce the risk by designing controls. Another word that I hear in regards to this choice is ‘mitigate.’ Controls mitigate or reduce the severity of a risk.
And sharing occurs when an organization decides to partner with other organizations to take some of the responsibility for the risk. For instance, the state of Texas decided to privatize many of their correctional facilities. The state hired a professional prison management company to be responsible for running dozens of Texas prisons. This does not mean that the state of Texas is not ultimately responsible for the care of prisoners, but it does mean that if anything goes wrong, the state will not take the full brunt of criticism. The state can fire the management company and appear proactive and responsive to the public.
Lots of steps to risk assessment
Now that we have seen all of the steps of risk assessment, let’s review.
1. Choose a subject matter
2. Break the subject matter down into activities
3. Imagine what could go wrong – the risk – of each activity
4. Ensure that you thought of everything by comparing the risks against the list of generic, fraud, and flip risks
5. Rate each risk for magnitude and likelihood
6. Decide what you are going to do with high magnitude and high likelihood risks: accept the risk, avoid the risk, reduce the risk, or share the risk
Only if you do reduce or share the risk, you need to go further in applying the other elements of the COSO model to the risk (control activities, information and communication, monitoring and control environment).
Here is the matrix, one more time!
Notice that I blacked out management’s response for risks that did not rank high as far as magnitude and likelihood. In our next chapter we will start applying controls to the risks that we want to reduce