The general public accesses more information more frequently and expects both private and government organizations to provide more services at a proportionate rate. Each successful technological advancement to provide this information has been accompanied by numerous failures — mistakes that expose vulnerabilities and consequently entrench a risk-averse mindset within organizations. A lack of risk-taking leads to unrealized opportunities and stifled innovation. Conversely, uncontrolled risk-taking can result in disaster. Trying to find a balance between the two can lead organizations to analysis paralysis. Measuring the risks that organizations currently take and those they are willing to take can help avoid over-analysis and enable timely, informed decision-making.
In 2016, the Canada Revenue Agency (CRA), which administers tax laws for the Government of Canada and most of the country’s provinces and territories, published its Risk Tolerance Tool to quantifiably measure the maximum level of risk exposure that management was willing to accept. The objective of this tool was to provide a basis for management discussions and to inform decisions on actions related to targeted risks. Initially, the CRA used the tool internally in yearly corporate risk profile cycles. It has since been piloted in the agency’s IT security function and internal audit department with positive results.
When approaching risk analysis, distinguishing risk exposure from risk tolerance is critical. Organizations establish risk exposure based on the likelihood that a given risk will occur and its potential impact on the organization. Risk tolerance is the maximum amount of residual risk exposure that an organization is willing to accept while working toward an expected outcome. By comparing how these concepts are quantified, management and assurance providers can more effectively identify the risks that must be mitigated, those that do not require additional action, and even those existing in an overcontrolled environment.
Make an Action Plan
The risk tolerance portion of the tool consists of five clear tolerance criteria that are selected based on their relevance to audit engagements and their ability to be applied consistently from one engagement to the next:
- Maturity — The level of experience the agency has dealing with the issue or risk.
- Criticality — The level of critical service that this risk applies to the government or the CRA.
- Sensitivity — The level of sensitivity that the CRA has toward this risk occurring.
- Span of control — The level of control the CRA has over this risk.
- Base profile — A consistent factor that lowers the tolerance to each risk.
The first four criteria each receive a score out of 25; the lower the number of points, the lower the organization’s tolerance for the risk. A risk that is highly critical and sensitive, and for which the organization has a large span of control, would receive few or no points for those criteria. However, a risk with which an organization has a high level of experience would contribute to a higher tolerance, receiving up to 25 points to account for the organization’s maturity. The tool adds the points for each criterion to calculate the level of tolerance for each risk. But, because the organization is not fully tolerant of any risk, the tool applies a base factor uniformly to all risks by giving 0 points out of a possible 20 points. The final score is out of 120 (see “The Risk Tolerance Model” below).
Auditors calculate the more traditional residual risk exposure by assessing the risk likelihood and the risk impact and multiplying them. Note that likelihood and impact each have a maximum of 5 points. Therefore, to obtain the residual risk score out of 100, the product of the likelihood times the impact is multiplied by 4. For example, if the likelihood is 3 and the impact is 5, the residual risk exposure would be 3 x 5 x 4 = 60. The tool then factors in the trend for a given risk by considering if it is increasing, decreasing, or stable; +20, -20, and 0 respectively. Adding the trend to the residual risk exposure results in a total risk exposure out of 120.
The tool compares total risk exposure with the total tolerance to determine if controls should be maintained, if the risk is in a caution zone, or if risk mitigation is required.
The CRA developed a slider figure alongside the risk tolerance tool to help management visualize the output of its risk analysis (see “Risk Tolerance Slider” below). By inputting the exposure and tolerance values into the slider bar, the user can quickly and clearly visualize the residual risk exposure in relation to the risk tolerance threshold and the necessary level of action. Auditors flag risks that are within the caution zone for closer observation. However, although there is no mandatory requirement for mitigation, management can choose to mitigate or monitor the risk as it sees appropriate.
One of the CRA’s priorities when developing this tool was ensuring the flexibility and adaptability of the risk criteria. Users can modify these criteria based on organizational needs and scale them to fit any type of project. Because the scoring methodology remains constant across different criteria, organizations can maintain consistency in decision-making when assessing the need for intervention. Additionally, users can modify and adjust both the set of criteria and the weight attributed to each criterion over time to better reflect the organization’s risk environment. Therefore, although consistent criteria allow for comparability, auditors can tailor the tool to any audit phase, as long as it is consistent within that phase.
Internal audit’s use of the tool assessed the risks related to differing opinions of the audit client and audit team about the significance of a finding and internal audit’s recommendation — namely, where the client indicated no action was necessary.
The tool indicated to management that action was preferable and allowed the audit client to address the areas where risk exposure was above tolerance. Of the three risks related to the recommendation, management confirmed that one risk did not need to be mitigated. However, two risks with gaps between tolerance and exposure should be addressed with a balanced set of actions. Those actions included interim measures to mitigate a risk expected to be eliminated by a system change in a few years. Management may not have recognized the importance of acting on the risk until the system change, but the tool helped executives realize that the risk needed to be mitigated leading up to the system change.
Having audit client subject-matter experts fill out the risk tolerance tool helped them better understand the recommendation and the possible actions that they could take. This improved relationships between auditors and audit clients so clients could focus their energy on developing solutions for addressing identified gaps instead of negotiating recommendations.
By applying this stable risk-tolerance process, employees can have a consistent understanding of both the organization’s approach to risk and management’s risk mitigation criteria. This predictability also can lead to increased employee confidence in senior management’s decision-making and improved mitigation strategies by allowing management to concentrate on the most critical risks first.
Applying the Tool Across the Organization
During the pilot, internal audit management realized there are many other possibilities for using the risk tolerance tool in the audit and evaluation communities. Applying it within an organization’s risk-based audit planning process can facilitate the identification and subsequent triage of potential engagements, so it could focus on those with the highest exposure above tolerance.
Similarly, incorporating it into the planning phase of an audit could simplify the scope and depth of the audit program. This, in turn, may increase the audit’s effectiveness by focusing audit procedures on risks that have surpassed the caution zone.
In fact, since the first pilot in the reporting on recommendations, internal audit piloted the tool during scoping in the planning phase of one of its audits. Benefits to this approach are currently being analyzed. Also, internal audit successfully piloted the tool to determine if an outstanding management action plan had become obsolete as a result of changes to the environment that affected the underlying risks that led to the original recommendation.
A Risk-aware Culture
While the CRA continues to pilot and refine the risk-tolerance assessment approach within internal audit, other Canadian government departments have expressed interest in piloting the tool to identify additional applications. This has expanded intelligent risk-taking across the government. By promoting and getting employee buy-in for a more risk-aware culture, the possibilities for using the tool have become endless.