Skip to content

What to Do: Performing and Refreshing Enterprise Risk Assessments

Feb 25, 2023

An auditor signs into a virtual meeting and asks, “Have you ever taken time to ask yourself the question, ‘What keeps me up at night?”’ While this approach may seem trite, it is a still a good question to ask yourself. Is it a sense of uncertainty, or the overall fear of what could go wrong? If the answer starts to amount to a multitude of items, you may begin considering additional questions, such as, “What is the likelihood of these events occurring? How will this affect the achievement of my goals? How can I come to manage all of this?” The thought of risk at the personal level may feel overwhelming.

As the leader of an organization, objectives may include creating and maximizing value. As such, the consideration of risk quickly becomes “Where are we exposed as an organization and what can we do to manage our risks?” For example, the risk of internal fraud relates to the misappropriation of funds or activities completed in an illegal or unauthorized manner, typically as a result of a lack of segregation of duties in an organization. No matter the specific fraud scheme perpetrated, the impact to the achievement of objectives at an organization can be detrimental. For additional information on the risk of fraud, check out the article “What to Do: Performing and Refreshing Fraud Risk Assessments.” However, fraud risk is just one of many categories of risk applicable to any organization. To answer the question of “where is our organization exposed?” you may consider if there are any concepts, tools or methods that can help you regain peace of mind, personally and for your organization.

Understanding Enterprise Risk Management (“ERM”)

The Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) defines risk as “the possibility that events will occur and affect the achievement of strategy and business objectives.”[1] With general risk categories wide-ranging, the comprehensive evaluation of risks that are applicable to an organization is not feasible to be completed by one individual, regardless of the size or industry focus of the organization. Organizational awareness of risk management is a focal point for determining where the greatest areas of exposure to a company are prevalent. Senior management and organizations’ boards of directors are responsible for establishing a strong tone at the top and for instilling the ERM framework, defined by COSO as “the culture, capabilities and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving and realizing value.”[2]

As previously noted, a vital goal of organizations is to create and maximize value. Organizational goals and core values are often defined and illustrated by a company’s mission statement. When considering the importance of a strong framework of internal control, which is defined by COSO as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance,”[3] the concept of ERM becomes complementary. In fact, ERM activities are meant to integrate into the internal controls of organizations. By understanding the risks applicable to your organization and staying agile to proactively react to new or changing risks, organizations can strategically perform activities to keep risks at a manageable level and continue to accomplish objectives.

It is not uncommon for organizations, whether a newly funded technology startup or a large, accelerated filer pharmaceutical company, to lack a formally defined ERM program. However, in many cases, this mindset is informally maintained and tracked by the organization’s leaders when there is consideration of how certain events impact the organization, either positively (opportunity) or negatively (risk), and to what extent the organization can take on additional risks (risk appetite). If ERM is a new concept for your organization, you may now be asking, “How do I assess risks applicable to my organization and what areas require further attention to help ensure achievement of objectives?”

Performing an Enterprise Risk Assessment (“ERA”)

ERAs are performed by management, usually the internal audit (“IA)” or ERM function, to analyze the risks impacting an organization, and can be utilized to increase the effectiveness of reporting to the board of directors and executive management. In the performance of the ERA, significant risks are evaluated and rated for potential impact and likelihood. Management may often come to find there are key themes highlighted across the organization within different departments where certain risks may have not previously been considered. For example, risk of human capital may be an area where the company is exposed in both finance and accounting, as well as human resources.

There are several methods to perform an ERA at your organization. This article will focus on the performance of an ERA from a top-down approach, which breaks down a company into categories, defined overall as the risk universe. The company is positioned into separate organizations, which may relate to a department or multiple consolidated departments (e.g., operations and information technology [“IT”]). From these organizations, functional levels are established, which relate to a category of business or technology process that consists of one or more individual processes (e.g., finance and accounting, compliance, IT and governance). Each business process associated with a specific function designed to accomplish a business objective is cataloged (e.g., procurement). As defined, risk refers to the occurrence of events that affect the achievement of strategy and business objectives. To address that consideration, the final step in the top-down ERA approach is that each category will be an inherent risk, control environment risk and overall residual risk rating. The graphic below depicts summary definitions of residual risk, inherent risk and control environment risk, as well as a selection of example control environment risk factors, to assist management in assigning adequate ratings to risk categories impacting the organization:

Digital Intelligence newsletter Graphic-01 (1) (002).jpg

Residual risk ratings for processes may assist organizational leadership, including the IA function, with determining key auditable entities for review.

In performing the ERA, employee interviews may be conducted to generate an overall understanding of processes, strategies, objectives and risks throughout the organization. This method can prove to be effective in organizations with a strong combination of personnel across departments sitting in senior to mid-level management roles across different departments. Interviews can be streamlined with a templated listing of questions that drive overall residual risk ratings for key categories, including the following examples:

Risk Category Risk Description
Financial Statement Risk Financial statement preparation and reporting obligations to stakeholders that are not met, are incomplete or are inaccurate and/or misleading, resulting in fines or reputational damage.
Third-Party Risk Inefficient or ineffective vendors may negatively affect execution of the organization’s critical processes.
Human Capital Risk Inability to attract and retain qualified employees, which may result in challenges being competitive or innovative in the marketplace.
Information Technology Risk

Significant interruption to business processes or technology platforms that may impact financial performance, create unmanageable costs or liability or result in increased regulatory scrutiny.

Compliance Risk Violations of, or nonconformance with, laws, rules, regulations and prescribed practices or ethical standards leading to a diminished reputation or limited business .


Examples of the ERA interview questions for each of the sample risk categories can include the following:

Financial Statement Risk

  • How are known internal control over financial reporting (“ICFR”) deficiencies being addressed?
  • Are there any issues or inefficiencies that extend the close period?
  • Does finance possess enough resources to perform its responsibilities?

Third-Party Risk

  • Has a vendor approval process been standardized?
  • Are risk, legal and compliance involved in the approvals for new vendors?
  • Are there policies for oversight and monitoring of critical vendors?

Human Capital Risk

  • What practices are in place to retain talent and ascertain the staffing is appropriate?
  • Are background checks performed and documented for new hires?
  • How are loss of knowledge mitigated and succession planning performed?

Information Technology Risk

  • What is the greatest risk to interruption of technology platforms?
  • What are the current systems and applications utilized by your team?
  • What are the processes and procedures used to manage data platforms?

Compliance Risk

  • How does the company adapt to new or emerging regulations?
  • How are policies and procedures assessed for updates due to changes in regulation?
  • Have there been any issues with adoption of new or emerging regulations in the past?

Furthermore, distributing surveys to a selection of employees across various departments is an effective way to gather large amounts of data within an organization. With either method, data analysis can be performed based on the responses received and the risks rated, which can be effectively depicted with a heat map. Once the evaluation and rating component of the ERA has been completed, management may be tasked with making decisions to accept certain risks based on the organization’s determined risk appetite, defined by COSO as “the types and amount of risk, on a broad level, an organization is willing to accept in pursuit of value.”[4] Dependent upon the assessed residual risk corresponding to the organization’s risk appetite, management may decide either to implement or enhance existing procedures or to accept the risk as is. Based on the level of reporting, formal responses or explanations to accepted risks may need to be provided to executive management or the board of directors to justify the reasoning.

As noted above, the IA department of an organization, whether staffed internally or outsourced to a third-party provider, may align with or leverage a completed ERA in completing the specified IA risk assessment. The overall purpose of the IA risk assessment is to identify high-risk auditable entities within the organization, and develop an audit plan to determine scope, timing and frequency of the internal audits.

ERA Takeaways and Refreshing the ERA

With a completed ERA, organizations can prioritize areas of focus, which may also be based on opportunities for process simplification and improved efficiencies. Management may be quick to place an initial focus on addressing the high-risk categories; however, it is important for each organization to consider how the higher risk will impact business operations and the achievement of objectives before making decisions. Building awareness across the enterprise, from overall execution of the ERA (surveys or interviews being two top methods) to general institutional knowledge of the organization’s risk appetite and risk universe, will inevitably strengthen the framework and allow for seamless refreshment year over year, and potentially more frequently. Organizations can quickly elevate from a poorly controlled ERA, where results are difficult to understand (e.g., lack of standardized interview process across departments leading to inconsistent results and risk ratings), to a defined ERA process that is well-documented and complemented by the organization’s internal control procedures. When an organization can align the performance of the ERA and the internal audit risk assessment to develop the audit plan, valuable reporting to management regarding the mitigation of key risks and effectiveness of the control environment for entities can be efficiently achieved.

ERA Considerations for 2023 and Beyond

There is no better time than now to get a jump start on performing or refreshing the ERA for your organization. Regulators, including the U.S. Securities and Exchange Commission (“SEC”) and Public Company Accounting Oversight Board (“PCAOB”), are focusing their attention on hot topics such as environmental, social and governance (“ESG”) reporting, as well as reporting on cryptocurrency assets. Stay ahead of the game by assessing your organization’s exposure to recent events relating to the hot topics of ESG and cryptocurrency and determine whether detailed reviews of control procedures in place managing risk and the achievement of objectives is required. Continue to monitor changes in regulations, the design and operating effectiveness of internal controls and any process changes or improvements, including new system implementations, when refreshing the ERA.

[1] “Understanding and Implementing Enterprise Risk Management,” The Committee of Sponsoring Organizations of the Treadway Commission.

[2] “Understanding and Implementing Enterprise Risk Management,” The Committee of Sponsoring Organizations of the Treadway Commission.

[3] “COSO Internal Control – Integrated Framework,” The Committee of Sponsoring Organizations of the Treadway Commission.

[4] “Using Risk Appetite to Thrive in a Changing World,” The Committee of Sponsoring Organizations of the Treadway Commission.

Our Current Issue Q1: 2023

What's on Your Mind?

a man in a suit smiling

Jack Paladino

Jack Paladino is a Manager within the firm’s Risk and Compliance Services (RCS) practice and has over 5 years of experience in Sarbanes-Oxley (SOX) Section 404 compliance and internal audit.

Start a conversation with Jack

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.