Page 224 - COSO Guidance Book
P. 224

  Point of focus — Estimates significance of risks identified

               Identified risks are analyzed through a process that includes estimating the potential significance of
               the risk.

               The framework notes that a risk analysis needs to be performed after risks have been identified at the
               entity and transaction levels. The assessment typically involves a consideration of the probability of
               the risk occurring and its potential impact.

               For example, a local florist that obtains its inventory from overseas might evaluate the probability that
               this supply chain would be disrupted and the length of any such disruption; the florist would then
               estimate the financial impact that this supply interruption would cause.

               The framework notes that risk velocity and duration of the length of the impact after the risk has
               occurred should also be considered when management conducts a risk assessment. Risk velocity
               denotes the speed with which the entity is expected to experience the impact of the risk.

               For example, a local restaurant would anticipate a high velocity if the media reported that numerous
               customers became ill due to acquiring Hepatitis A at the restaurant. The restaurant would most likely
               immediately experience a drastic reduction in business due to the publicity concerning the
               customers’ illness. The duration of the length of the impact, such as the time required to restore
               consumer confidence and rebuild a strong customer base, could be weeks, months, or even years.
              Point of focus — Determines how to respond to risks

               Risk assessment includes considering how the risk should be managed and whether to accept, avoid,
               reduce, or share the risk.
               The risk responses are classified into the following categories:

               –  Acceptance — No action taken in response to the probability or impact of the risk

                   For example, many entities recognize the risk associated with lack of segregation of duties, such
                   as errors or fraud occurring and not being detected. However, when analyzing the cost of the
                   control to mitigate this risk, management might decide not to take any action due to cost-benefit
                   issues.

               –  Avoidance — Discontinuing the undertakings that cause the risk

                   For example, an entity that is a housing contractor might not continue to expand in a certain high-
                   end market due to the lack of skilled subcontractors available to complete the project within a
                   certain time frame.

               –  Reduction — Actions taken to decrease the probability or impact of the risk

                   For example, in an owner-manager entity, the owner-manager (to lower the probability or impact
                   of billing fraud due to the bookkeeper’s creation of a fake vendor) might maintain sole custody of
                   the password that permits any changes to the vendor database.

               –  Sharing — Reducing the probability or impact of the risk by transferring or sharing a portion of the
                   risk.




            © 2020 Association of International Certified Professional Accountants. All rights reserved.    4-10
   219   220   221   222   223   224   225   226   227   228   229