COSO shows how to put risk assessment into practice

BY KEN TYSIAC

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) on Friday released a thought paper, Risk Assessment in Practice, designed to help organizations find the optimal risk-taking zone, which the paper refers to as the “sweet spot.”

“Risk assessment is all about measuring and prioritizing risks so that risk levels are managed within defined tolerance thresholds without being over controlled or forgoing desirable opportunities,” Deloitte & Touche LLP partner and paper co-author Patchin Curtis said in a news release.

The thought paper describes a risk assessment process that should be practical, sustainable and understandable. The enterprise risk management process (ERM) must be structured, disciplined, and correctly scaled to the organization’s size, complexity and geographic reach, according to the paper.

Identifying risks requires casting a wide net at first to understand the possibilities that need to be included in the organization’s risk profile, according to the paper. Prioritization then takes place to focus senior management and board attention on key risks.

The risk assessment process outlined in the paper includes:

  • developing assessment criteria
  • assigning values to each risk and opportunity
  • considering risk interactions because risks, when combined, can cause compounded damage
  • prioritizing risks
  • responding to risks


The authors advocate developing “assessment scales” to measure the impact, likelihood, organizational vulnerability and speed of onset of risks on a scale from 1 (low) to 5 (high). Any two of those factors can be plotted against each other in graphical representations known as “risk maps” or “heat maps” to inform decisions, according to the paper.

Although many organizations begin this ERM process by using simple spreadsheets, the paper says, software and systems that quickly will pay for themselves in saved labor costs are available.

The paper advises that the information learned from the risk management process must feed into the strategic planning process to facilitate the proper actions.

“You’ll know you’re doing risk assessment right,” the paper concludes, “when leaders at every level use the information to make decisions regarding value.”

Ken Tysiac ( ktysiac@aicpa.org ) is a JofA senior editor.

SPONSORED REPORT

How to make the most of a negotiation

Negotiators are made, not born. In this sponsored report, we cover strategies and tactics to help you head into 2017 ready to take on business deals, salary discussions and more.

VIDEO

Will the Affordable Care Act be repealed?

The results of the 2016 presidential election are likely to have a big impact on federal tax policy in the coming years. Eddie Adkins, CPA, a partner in the Washington National Tax Office at Grant Thornton, discusses what parts of the ACA might survive the repeal of most of the law.

COLUMN

Deflecting clients’ requests for defense and indemnity

Client requests for defense and indemnity by the CPA firm are on the rise. Requests for such clauses are unnecessary and unfair, and, in some cases, are unenforceable.