Revolutionizing Risk Assessments: A 5-Step Approach to Uncover New Risks
This article challenges the common audit practice of starting risk assessments by reviewing prior year documentation, arguing that this approach often leads to overlooking emerging risks. It proposes a five-step methodology that prioritizes identifying changes and drafting a new risk register before consulting past records, emphasizing the use of AI to facilitate this process. The author suggests this method helps auditors uncover new risks that are critical to an organization's audit committee.
The Pitfalls of Prior Year Anchoring in Risk Assessments
Internal audit professionals frequently fall into the trap of anchoring their current year risk assessments to previous years' documentation. This common practice, often driven by time pressures and a perceived need for consistency, can inadvertently blind auditors to new and evolving risks. By starting with last year's assessment, auditors risk merely updating existing entries rather than proactively identifying novel threats that have emerged in the intervening period. This approach can lead to a false sense of security and leave organizations vulnerable to unforeseen challenges, which are precisely the risks that audit committees are most concerned about.
A Paradigm Shift: Prioritizing Change Over Continuity
To combat the 'prior year anchor' effect, the article advocates for a fundamental shift in the risk assessment process. The core idea is to intentionally block out prior year information initially and instead focus on identifying changes within the organization and its environment. This involves leveraging tools like AI to prompt inquiries across various categories, such as new systems, process modifications, regulatory updates, personnel changes, new products or geographies, external events, and prior findings or incidents. By systematically exploring these change categories, auditors can build a fresh perspective on potential risks without the bias of historical data.
A Five-Step Methodology for Proactive Risk Identification
The proposed methodology outlines a clear, actionable sequence for conducting risk assessments that are more likely to uncover new risks:
- Block off Prior Year: Resist the urge to open last year's risk assessment first to avoid anchoring bias.
- Run the "What Changed" Prompt: Utilize AI or a structured inquiry process to identify significant changes across eight key categories before reviewing any prior documentation.
- Draft a Risk Register from Change Inventory: Based solely on the identified changes, develop a preliminary risk register, relying on professional judgment to assess potential impacts.
- Now Open Prior Year: Only after creating a fresh risk perspective, compare the new draft with the prior year's assessment to identify what carries forward, what is no longer accurate, and what is genuinely new.
- Use Comparison for Planning Meeting: Leverage this three-column comparison (carry-forward, no longer accurate, new) as the agenda for discussions with process owners, fostering more incisive and relevant conversations about current risks.
This structured approach, particularly with the strategic integration of AI, empowers internal auditors to move beyond mere compliance and deliver more valuable, forward-looking insights to their audit committees.
Read more