Let's get something straight right up front. In a well managed organization, the auditors risk assessment will never replace the risk assessment undertaken daily, weekly, monthly, quarterly and annually by management in the ordinary course of managing the business. On the other hand, in a poorly managed organization, a risk assessment can "awaken" management to risk issues they had not previously recognized or been effectively managing.

We believe risk identification, assessment and management should be undertaken on an enterprise basis. Far too often, auditors who begin their careers in public accounting can form myopic perspectives of risk, only entailing consideration of accounting and financial reporting implications. This is just one thin vein in a complex array of risks facing most organizations. In addition, risks can be addressed through a variety of dimensions, for example:

By Risk Drivers:

External

• Consumer
• Retailer
• Vendor
• Stakeholder
• Macro-Economic and Political

Internal

• Human Resource Management
• Process Management
• Technology Management
• Capital Management
• Compliance Management
  
  OR

By Business Unit

OR

By Strategic Objective

OR

By Business Process

OR

By Internal Control Objective

OR

By Materiality Factors

In application of any of those techniques, the important area of focus is to apply risk management in a holistic sense. Risk management is everyone's job in an organization.

Both qualitative and quantitative factors should be used in risk management, to help identify risks and validate issues surfaced from one perspective or another. The auditor can use various self-evaluative techniques such as workshops, anonymous voting, or surveys. Or, the auditor can apply certain empirical risk templates and his/her assessments with management. At the end of the day, regardless of the qualitative or quantitative approach used, we believe a collective usage of both forms of assessment is optimal.