The definition and measurement of the risk associated with achievement of specific objects by the employees and managers who are responsible for the achievement of the those objectives.
Organization's vision statement (where are we going?).
Goals and Objectives
Specific milestones to realization of the mission statement.
What we do to ensure achievement of goals and objectives.
The systems within which all work takes place.
Anything that can prevent the achievement of goals and objectives.
Impact of Risk
Effect on achievement of goals and objectives when the risk happens.
If the risk happens, we will probably not achieve our objective or to so so will require major damage control ("show stopper").
If the risk happens, we will have to do extra work or we will be inefficient, but we can still achieve our goal or objective.
If the risk happens, we will be aware of it, but it will have little or no effect upon operations or the achievement of the objective.
Probability of Risk
Likelihood of the risk happening.
It will happen often.
It is likely to happen, but not often.
It is unlikely to happen at all.
How are you going to manage a risk?
Do nothing to manage risk.
Do not do the activity the generates the risk.
Establish policies and procedures to manage the risk.
Manage the Risk
Do something to lower the probability to an unacceptable level.
Let someone outside the organization do the control.
The set of execution (level 1), Supervisory (level 2), and oversight (level 3) controls that must operate to provide on-going assurance that a specific risk is being managed as planned.
Execution controls (level 1)
Policies and procedures applied by employees or systems to every transaction or event.
Supervisory control (level 2)
Policies and procedures applied by supervisors or representatives of supervisors to ensure employees are properly performing and documenting the execution (level 1) controls.
Oversight Controls (level 3)
Policies and procedures applied by middle and upper management or their representatives to ensure that supervisory (level 2) controls are being properly performed and documented.
The levels of assurance that can be provided about the proper management of the risks.
The written and signed representation from any manager that the risk management strategies applicable to that manager have been properly executed and documented.
The partnership of management and internal audit to provide the governance function with some level of assurance about all the risk.