Skip to main content

Risk Management Principle 7: Identification and Analysis

The organization identifies risks to achieving organization-wide objectives and analyzes them to determine how they should be managed.

Focus Points:

The following focal points highlight essential aspects of activities, reporting, and compliance objectives.

Covers Organization, Subsidiary, Department, Activity Units and Functional Levels.

Organization: Identifies and evaluates risks that hinder the organization’s objectives at the enterprise, subsidiary, division, operating unit, and function levels.

Identification and analysis of risk is a continuous, iterative process conducted to improve the organization’s ability to achieve its objectives. Whether an objective is explicitly stated or implied, the organization’s risk assessment process needs to consider all risks that may arise. This process is supported by various actions, techniques, and mechanisms, all related to overall risk assessment. Management develops and implements controls regarding the performance of such activities.

Management considers risks at all levels of the organization and takes the necessary measures to respond to these risks.

Risk identification should be comprehensive. It should consider all significant interactions—goods, services, and information—both within an organization and between business partners and external service providers related to the organization.

Risk identification considers risks at various levels of the organizational structure, such as the entire organization and its subunits and sales, human resources, marketing, production, and purchasing processes. Enterprise-wide risk identification often occurs at relatively high levels and does not generally include assessment of transaction-level risks. Conversely, identifying process-level risks is more detailed and has transaction-level risks. Additionally, the risk assessment considers risks from external service providers, key suppliers, and distribution channel partners.

Analyzes Internal and External Factors

In identifying risks, both internal and external factors and the impact of these factors on achieving objectives are taken into account.

Management takes into account risks related to internal and external factors. Risk is dynamic. Therefore, management typically considers the rate of change in risks, achievement of objectives, other activity priorities, and costs to determine the frequency of the risk assessment process. Risks at the organizational level can arise from internal and external factors.

External factors may include

  • Economic Factors: Those Factors that can affect financing, capital availability, and competitive market entry. For example, such as exchange rate risk and credit risk.
  • Natural Environment: Natural or human-caused disasters or ongoing climate changes that may lead to changes in operations, reduced availability of raw materials, or loss of information systems and require contingency plans.
  • Regulatory Authority: A new financial reporting standard that may require an entity, management operating model, or line of business to provide different or additional reporting; A new antitrust law or regulation that requires the company to make changes to its operating or reporting policies and strategies
  • Activities in Foreign Countries: A change in the government of a foreign country in which the organization operates could lead to new laws and regulations or a change in tax regime (For example, a restriction on travel to a foreign country).
  • Social Factors: Changing customer needs or expectations may affect product development, manufacturing processes, customer service, pricing, or warranties. (For example, Decrease in white bread consumption due to health reasons)
  • Technological Factors: Changes that may affect the availability and use of data, infrastructure costs, and technology-based services. (Decrease in services provided in branches via mobile phone banking)

Internal factors include

  • Infrastructure: Decisions on using capital resources that may affect operations and the continuity of existing infrastructure.
  • Management Structure: A change in management responsibilities that may affect how specific controls are performed.
  • Personnel: The quality of staff recruited and training and motivation methods that may affect control awareness throughout the organization; termination of contracts that may affect staff status.
  • Access to Assets: The nature of the organization’s operations and employee access to assets that may contribute to the misuse of resources.
  • Technology: An interruption in the functioning of information systems that can negatively impact the organization’s operations.

Identifying internal and external factors that increase organization-level risks is critical to a comprehensive risk assessment. Once the most important factors have been assessed, management will be able to assess the relevance and importance of these factors and, where possible, link these factors to specific risks and actions.

Involves Appropriate Levels of Management

The organization puts adequate risk assessment mechanisms that involve appropriate levels of management.

As with other processes within the scope of internal control, responsibility and accountability for risk identification and analysis processes rest with management throughout the organization and its subunits. The organization employs effective risk assessment mechanisms, including appropriately qualified and specialized management levels.

Estimates the Significance of Identified Risks

Identified risks are analyzed through a process that involves estimating the potential significance of the risk.

As part of risk analysis, the organization evaluates the significance of risks to achieving objectives and sub-objectives. Organizations can evaluate the significance of risk using metrics such as these.

  • The probability of the risk occurring and its impact
  • Quickness or speed of impact in case the risk occurs
  • The continuity or duration of the effect after the risk occurs

“Likelihood” and “impact” are commonly used terms. However, some organizations use terms such as “probability,” “severity,” “seriousness,” or “consequence” instead. While “likelihood” expresses the possibility of an event occurring,” “impact” refers to the impact that this event will have. In some cases, these words acquire more specific meanings. “Likelihood” means that the probability of a particular risk occurring is expressed in degrees such as “high,” “medium,” and “low,” indicating the nature of the risk. “probability” refers to quantitative measurements such as percentage, frequency of occurrence or other numerical measures.

Determines How to Respond to Risks

Risk assessment involves considering how risks will be managed and whether to accept the risk, avoid the risk, reduce the risk, or share the risk.

Inherent Risk: Management considers both natural and residual risks. The intrinsic risk will prevent the organization from achieving its objectives if there are no measures management can implement to change the likelihood or impact of the risk.

Residual Risk: Residual risk is the risk that prevents the organization from achieving its goals and remains after management’s development and implementation of responses to them. Risk analysis is first applied to inherent risk. As discussed below, management evaluates risks once risk responses have been developed. Assessing inherent risk in addition to residual risk can assist the organization in understanding the scope of responses to risk.

Response to Risk: Once the potential significance of risks is assessed, management considers how the risk should be managed. This process involves making decisions based on assumptions about the risks and a reasonable analysis of the costs associated with reducing the level of risk. The response does not always result in the least amount of residual risk. However, if the answer to a risk creates a residual risk that exceeds levels acceptable to management and the board, management will re-examine and adjust the response. Therefore, balancing risk and risk tolerance can be an iterative process, as the response does not always result in the least residual risk.

Responses to risk fall into the following categories:

  • Acceptance: No action is taken to influence the likelihood or impact of the risk.
  • Avoidance: Stopping actions that lead to risk. This may include discontinuing a product line, refusing to expand into a new geographic market, or selling a division.
  • Mitigation: Measures taken to reduce the likelihood or impact of a risk, or both, often encompass numerous day-to-day business decisions.
  • Sharing: Reducing the likelihood or impact of a risk by transferring or otherwise sharing some of the risk. Standard techniques include purchasing insurance products, forming joint ventures, engaging in hedging transactions, or outsourcing an activity.

Considering the response to risk management

  • The potential impact on the significance of the risk and what response options are appropriate to the organization’s risk tolerance,
  • Separation of duties (principle) is necessary to enable risk response to achieve the desired reduction in the significance of the risk.
  • The benefits of potential responses compared to costs should be taken into consideration.
  • Other organization-specific focus points, if any.

References for Internal Control Articles

  • International Internal Auditing Standards, International Institute of Internal Auditors
  • Dr. Davut Pehlivanlı, Current Internal Audit Practices, Beta 2010
  • Prof. Dr. Nejat Bozkurt, Accounting Audit, Alfa 1998
  • Prof.Dr.Nejat Bozkurt, TÜRMOB Independent Audit Training Lecture Notes, 2012
  • Dr.Özgür Çatıkkaş, KGK, Marmara University. Corporate Governance Lecture Notes, 2013
  • İSMMMO-Practical Information for Internal Audit in SMEs, 2013
  • Turkish Internal Audit Institute,
  • Alp Buluch, Article, Internal Control, Hurses, 19 March 2013
  • Turkish Commercial Code No. 6102
  • International Internal Auditing Standards,
  • Treadway Commission Supporting Institutions Committee, Internal Control-Integrated Framework, 2013
  • Public Financial Management and Control Law
  • Public Internal Control Standards
  • Public Internal Control Guide


Bu gönderi şu adreste de mevcuttur: Türkçe