Internal Auditors should move beyond risk mapping and their over reliance on ERM heat maps and static risk registers by quantifying risks to more precisely inform management and the Audit Committee about the costs of achieving objectives…

Internal Auditors should move beyond risk mapping and their over reliance on ERM heat maps and static risk registers by quantifying risks to more precisely inform management and the Audit Committee about the costs of achieving objectives …

Challenges to an internal auditor’s professional judgement and the perceived lack of transparency about at how they arrive at risk rankings can be alleviated by employing a more supportable and scientific approach to their risk assessment and analysis.

How often, as an internal auditor, have you been asked by management or an Audit Committee member how you arrived at a risk rating of an audit observation or operational risk and not being able to give a well‑supported answer? That can be improved or even avoided with quantification of risks.

In its simplest form, using probability percentages with likely consequences or impacts in dollar terms or other measurable quantities (e.g. lost units of production, fines, ransom, time, etc.) or more complex quantitative analysis methods such as Monte Carlo simulation can give a quantitative value of the risk that provides better information or data on the consequences of risks and success of corrective action.

These methods are not meant to give precise values but are especially valuable for high velocity risks where there is a short time between risk identification and the risk event occurring. For example, how often do multi‑million dollar IT transformational projects go overbudget to the surprise of the Board when the quantifiable information on project risks (cost, scope and schedule) were available and the Board could have been informed ahead of the overruns?

High velocity risks were prevalent at the beginning of the 2020 pandemic when many businesses moved operations to virtual platforms that were not ready or untested leading to marked increases in cyberattacks and losses from exfiltration of data, reputational damage, ransom payments and general business disruption. The risks were quantified and opportunities were lost to inform the values at risk in the organizations.

Quantifying risks is also valuable for less consequential operational risks such as data integrity risks. For example, a software bug that impacts IT operations, transaction processing and reporting between the time discovered and fixed. Management and the Audit Committee want to know what are the impacts on costs, operations, etc. and not just that the event is a high or very‑high risk. Internal auditors can step into this gap and demonstrate their capability and value by quantifying these impacts.

Integrating the quantification of risks with business objectives and mitigation strategies will bring the estimated costs closer to the how objectives will be achieved thereby being more informative for the Board. Internal audit groups are uniquely positioned in the organization to estimate the potential costs from their risk assessments and audit projects and their ability to associate them to the over‑all organization, business group, business line, process or technology objectives. Quantifying risks and associating them to objectives requires less time than the amount of time internal auditors expend on risk mapping exercises or creating static heat maps or keeping risk registers.

In its simplest form, quantification using expected value analysis assigns a probability of the likely outcome between 0.0 and 1.0 and multiplied it by the monetary value or some other unit of value to come up with the ‘expected value of the risk’. Expected values can be made over a range of probabilities and values for a best‑case to a worst‑case scenario. Other more sophisticated statistical, computer simulations, decision tree analysis or Monte Carlo simulation methodologies can be used to refine and deepen the analysis. Rather than presenting the information and data in risk mapping, heat maps and static risk registers that are usually separated from the potential impacts on the objectives to which the risks are associated, use tornado diagrams that show the analysis across a number of risk factors (e.g. cost, scope and schedule of IT projects) for a more intuitive and useful view of risks to achieving objectives.

Have your quantification techniques and results reviewed and vetted by Risk Management and others to add credibility and support to the results.

How Can I Help?

I’ve conducted several in‑depth risk management audits, risk assessments, focused risk management audit projects and conducted a major investigation into risk management practices after a signification investment loss. These experiences have led me to develop an in‑depth understanding of risk management governance, practices, processes and the use of technologies and resources. I’m also trained in ISO 31000 and COSO’s ERM framework.


Peter McConnell
B. Comm., CPA, CIA, CRMA

[..] pmcconnell@cross‑
[..] cross‑ (comingsoon)
[..] (780) 340‑7564
[..] LinkedIn

Serving North America, the UK, Ireland and Other EU countries.