Risk-Based Auditing - YYY
Document Details
Uploaded by StablePraseodymium
Jazan University
Tags
Summary
This document provides an overview of risk-based auditing, risk management, and underwriting, including key concepts like moral hazard, morale hazard, and COPE elements. It covers various aspects of insurance and underwriting, focusing on the principles and techniques used in this domain.
Full Transcript
Risk-Based Auditing Risk-based auditing prioritizes the use of an organization's limited internal audit resources in areas that pose the greatest risk to the organization. It emphasizes three principles: auditing to business objectives, focusing on materiality of risk, and i...
Risk-Based Auditing Risk-based auditing prioritizes the use of an organization's limited internal audit resources in areas that pose the greatest risk to the organization. It emphasizes three principles: auditing to business objectives, focusing on materiality of risk, and identifying threats to business goals and objectives. Risk Management and Organizational Alignment Risk management involves providing insurance and risk management solutions to control or contain losses and satisfy customers. Common objectives for risk management include balancing risk and reward, supporting decision making, and achieving goals such as tolerable uncertainty, legal and regulatory compliance, survival, business continuity, earnings stability, profitability, growth, and social responsibility. Underwriting Underwriting helps insurers develop and maintain a growing, profitable book of business by minimizing adverse selection, ensuring adequate policyholders' surplus, and enforcing underwriting guidelines. Underwriters select insureds, classify and price accounts, recommend or provide coverage, manage a book of business, support producers and insureds, and support the achievement of the insurer's marketing objectives. Staff Underwriters Staff underwriters research the market, formulate underwriting policy, revise underwriting guidelines, evaluate loss experience, develop coverage forms, review rates, arrange reinsurance, assist with complex accounts, and conduct underwriting audits. Underwriting Policy Underwriting policy is a guide to individual and aggregate policy selection that supports an insurer's mission statement. Essential Knowledge for Underwriters Successful underwriters possess knowledge about insurance principles and practices, loss exposures and pricing, insurance rates, loss analysis, and internal and external information sources. Rating Rating involves applying an applicable rate and rating plan to an exposure and performing necessary calculations to determine the policy premium. Moral Hazard Moral hazard is a condition that increases the likelihood of intentional loss or exaggeration. Property Application Underwriters examine crucial information in a property application, including loss history, COPE elements, and property values. Supplemental Information Supplemental information, such as risk management programs, financial statements, risk control reports, and property valuation guides, helps underwriters further assess the quality of a property account. COPE and Loss Run COPE elements include construction, occupancy, protection, and external exposures, which are analyzed by commercial property underwriters. A loss run is a report detailing an insured's history of claims that have occurred over a specific period. Morale Hazard Morale hazard is a condition of carelessness or indifference that increases the frequency or severity of loss. Fire Protection and Division Underwriters analyze loss exposures posed by immediate neighboring properties or the surrounding area. A fire division is a section of a structure that is well protected and cannot spread fire to another section or vice versa. Public and Private Fire Protection Public fire protection refers to equipment and services made available through governmental authority to all properties within a defined area. Private fire protection refers to measures taken by property owners to protect their assets from loss by fire. Residential and Occupational Loss Exposures Underwriters should evaluate residential loss exposures by considering hazards that can increase liability losses from invited guests. Personal insurance applications include questions about occupation or employment to determine potential loss frequency and severity. Rating Plan A set of directions specifying criteria for exposure base, exposure unit, and rate per exposure unit to determine premiums for a particular line of insurance. Combined Ratio A combined ratio of less than 100 means the insurer is making a profit from underwriting insurance. A combined ratio of more than 100 means the insurer is not making an underwriting profit. Nonfinancial Measures Used to monitor underwriting results, including: o Selection o Product or line of business mix o Pricing o Retention ratio o Hit ratio o Customer service o Premium volume Retention Ratio The percentage of expiring policies an insurer renews. Retaining policies is more profitable than acquiring new business because most of, if not all, the underwriting investigation work has been completed for existing policies. A low retention rate may indicate a problem with the insurer's service, such as customer dissatisfaction with claims service. Hit Ratio Determines how well underwriters are meeting sales goals by comparing the number of policies written with applications that have been quoted. Physical Controls Used to limit an individual's physical access to protected information or facilities, e.g., locks, doors, fences. Technical Controls Also called logical controls, implemented in the computing environment, e.g., operating systems, application programs, database frameworks, firewalls. Directive Control Specifies expected employee behavior, often in the form of policies and guidelines, e.g., acceptable use policy. Deterrent Control Discourages individuals from violating security policies because of the effort to circumvent it or the negative consequences of doing so, e.g., CCTV monitoring. Preventative Control Stops a security incident, e.g., background screenings. Compensating Control Implemented when the system cannot provide protection required by policy, to mitigate the risk down to an acceptable level, e.g., an acceptable agreed exceptional process. Detective Control Alerts the security professional to the attempted security violation. Corrective Control Responds to the security violation to reduce or eliminate the impact, e.g., escorting unauthorized persons offsite. Hazard A condition or activity that has the potential for harm. Risk The chance or probability of occurrence of an injury, loss, or hazard. Incident An event in which a work-related injury, illness, or fatality occurred or could have occurred. Risk Response Strategies Four strategies: o Avoidance o Transfer o Retention o Reduction Risk Assessment The overall process of risk identification, risk analysis, and risk evaluation. ALARA and ALARP ALARA: As Low As Reasonably Achievable. ALARP: As Low As Reasonably Practical. Loss Control Measures Examples include: o Hazcom training o Machine guards o Confined space programs Domino Theory All accidents are caused by a chain of events, and the removal of any chain of events can prevent the accident. Petersen's Accident/Incident Theory Causes of accidents/incidents are human error and/or system failure. Risk Analysis vs. Risk Management Risk Analysis: a scientific activity that estimates risk. Risk Management: determines whether the risk is acceptable and what methods will be used to reduce the risk to an acceptable level. Hazard Analysis Categories Three categories: o Environmental issues that create stress o Inherent properties that create hazards o Failures of people and materials Primary Methods for Reducing Accidents Two methods: o Prevention (loss control) o Financial (cost reduction) Objectives of Risk Management For a business, objectives include: o Reducing anxiety prior to a loss o Meeting responsibilities as a good corporate citizen o Continued growth after suffering a loss Poka-Yoke A lean manufacturing technique that focuses on prevention or detection of errors, mistake-proofing methods aimed at designing fail-safe systems that minimize human error. Kaizen A Japanese term for continuous improvement. 5-S An effective housekeeping technique that includes: o Sort o Straighten o Scrub o Systematize o Standardize Risk Management Techniques Risk control: measures to prevent or reduce losses Risk financing: purchasing insurance to help pay for losses that do occur Risk Management Examining the feasibility of risk management techniques involves financial and non- financial considerations Financial considerations include forecasted losses, insurance types, and deductibles Non-financial considerations include business operations, customer and employee safety, and reputation Implementing Risk Management Techniques Risk financing techniques are implemented by risk management professionals Risk control techniques are implemented by operations managers, involving communication and training Insurance Rating plan: a set of directions specifying criteria for exposure base, exposure unit, and rate per exposure unit to determine premiums Combined ratio: a ratio of less than 100 indicates an underwriting profit, while a ratio of more than 100 indicates no underwriting profit Non-financial measures used to monitor underwriting results include selection, product or line of business mix, pricing, retention ratio, hit ratio, and customer service Underwriting Retention ratio: the percentage of expiring policies an insurer renews Hit ratio: determines how well underwriters are meeting sales goals by comparing policies written with applications quoted Underwriting elements include limits of liability, deductibles, and underlying insurer Loss severity, rather than frequency, is the primary underwriting concern Reinsurance Reinsurance: transferring some of the risk to another insurer through a contractual agreement Facultative reinsurance: reinsurance of individual loss exposures, where the primary insurer chooses which loss exposures to submit Underwriting Guidelines Underwriting guidelines: a written manual communicating an insurer's underwriting policy and specifying the attributes of an account that an insurer is willing to insure Qualitative and Quantitative Risk Assessment Qualitative assessment: uses categorical or non-numeric values to estimate risk Quantitative assessment: uses numerical estimates based on historical occurrences of incidents and likelihood of risk re-occurrence Methods include Delphi Method, Facilitated Risk Analysis Process (FRAP), and Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) Risk Assessment Formulas ARO (Annual Rate of Occurrence): estimates the number of times an identified event or threat will occur within a year EF (Exposure Factor): the potential percentage of loss to an asset if a threat is realized SLE (Single Loss Expectancy): the impact of the event, calculated by multiplying the Exposure Factor by the Asset Value EPA Human Health Risk Assessment Four steps: hazard identification, dose-response assessment, exposure assessment, and risk characterization Underwriting Elements Underwriters can require higher limits of liability and deductibles for certain loss exposures. The underlying insurer is an important underwriting element to consider, with some insurers only providing umbrella or excess coverage over their own primary policies. Loss Analysis Underwriters need a thorough understanding of the insured's operations to identify loss exposures and determine whether the existing loss experience is appropriate for the insured's operations. Loss severity, rather than frequency, is the primary underwriting concern in umbrella and excess liability underwriting. Underwriters also analyze catastrophe loss exposures. Reinsurance Reinsurance is a process where an insurer transfers some of its risk to another insurer through a contractual agreement. Facultative reinsurance involves the primary insurer choosing which loss exposures to submit to the reinsurer, who can accept or reject any submitted losses. Underwriting Guidelines Underwriting guidelines are written manuals that communicate an insurer's underwriting policy and specify the attributes of an account that an insurer is willing to insure. Hazard and Risk Management A hazard is a condition that increases the frequency or severity of a loss. Premium audits are methodical examinations of a policyholder's operations, records, and books of account to determine the actual exposure units and premium for insurance coverages already provided. Telematics involves the use of technological devices to transmit data via wireless communication and GPS tracking. Predictive Modeling Predictive modeling is a process that blends historical data based on behaviors and events with multiple variables to construct models of anticipated future outcomes. Catastrophe models are computer programs that estimate losses from future potential catastrophic events. Insurance Types Catastrophe insurance is for low-probability, high-cost events. Reinsurance is between a primary insurer and secondary insurer, where the secondary agrees to cover all or part of the losses of the primary insurer. Retrocession is the portion of risk or amount of insurance the company chooses not to retain. Human Factors Theory The Human Factors Theory by David Yates categorizes accident causes into three broad categories: overload, inappropriate worker response, and inappropriate activities. Vicarious Liability and Incident Investigation Vicarious liability assigns liability for an injury to a person who did not cause the injury but has a particular legal relationship to the person who did act negligently. The front-line supervisor is responsible for conducting an incident investigation. The Hierarchy of Controls includes elimination, substitution, engineering controls, warnings, administrative controls, and personal protective equipment. Underwriting Elements Underwriters can require higher limits of liability and deductibles for certain loss exposures. The underlying insurer is an important underwriting element to consider, with some insurers only providing umbrella or excess coverage over their own primary policies. Loss Analysis Underwriters need a thorough understanding of the insured's operations to identify loss exposures and determine whether the existing loss experience is appropriate for the insured's operations. Loss severity, rather than frequency, is the primary underwriting concern in umbrella and excess liability underwriting. Underwriters also analyze catastrophe loss exposures. Reinsurance Reinsurance is a process where an insurer transfers some of its risk to another insurer through a contractual agreement. Facultative reinsurance involves the primary insurer choosing which loss exposures to submit to the reinsurer, who can accept or reject any submitted losses. Underwriting Guidelines Underwriting guidelines are written manuals that communicate an insurer's underwriting policy and specify the attributes of an account that an insurer is willing to insure. Hazard and Risk Management A hazard is a condition that increases the frequency or severity of a loss. Premium audits are methodical examinations of a policyholder's operations, records, and books of account to determine the actual exposure units and premium for insurance coverages already provided. Telematics involves the use of technological devices to transmit data via wireless communication and GPS tracking. Predictive Modeling Predictive modeling is a process that blends historical data based on behaviors and events with multiple variables to construct models of anticipated future outcomes. Catastrophe models are computer programs that estimate losses from future potential catastrophic events. Insurance Types Catastrophe insurance is for low-probability, high-cost events. Reinsurance is between a primary insurer and secondary insurer, where the secondary agrees to cover all or part of the losses of the primary insurer. Retrocession is the portion of risk or amount of insurance the company chooses not to retain. Human Factors Theory The Human Factors Theory by David Yates categorizes accident causes into three broad categories: overload, inappropriate worker response, and inappropriate activities. Vicarious Liability and Incident Investigation Vicarious liability assigns liability for an injury to a person who did not cause the injury but has a particular legal relationship to the person who did act negligently. The front-line supervisor is responsible for conducting an incident investigation. The Hierarchy of Controls includes elimination, substitution, engineering controls, warnings, administrative controls, and personal protective equipment. Hazard Analysis Hazard Analysis is a process to identify hazards and recommend risk reduction alternatives in procedurally controlled activities during all phases of intended use. Preliminary Hazard Analysis (PHA) is the most commonly used systems safety analysis technique. Inductive and Deductive Reasoning Inductive reasoning is specific to general, e.g., FMEA, FHA, or ETA. Deductive reasoning is general to specific, e.g., FTA. Fault Tree Analysis (FTA) FTA is a deductive analysis/technique that selects an undesired outcome (top-level event) and all possible modes of happenings. In a FTA, an undesired event is selected, and all possible happenings that can contribute to the event are diagrammed in the form of a tree. The branches are continued until independent events are reached. Probabilities are determined for the independent events, and after simplifying the tree, both the probability of the undesired event and the most likely chain of events leading up to it can be computed. Hazard and Risk A condition or activity that has the potential for harm is a hazard. Risk is the chance or probability of occurrence of an injury, loss, or a hazard or potential hazard. Incident and Risk Response Strategies An incident is an event in which a work-related injury, illness, or fatality occurred or could have occurred. The four risk response strategies are Avoidance, Transfer, Retention, and Reduction. Risk Assessment and Evaluation Risk Assessment is the overall process of risk identification, risk analysis, and risk evaluation. ALARA means As Low As Reasonably Achievable. ALARP means As low as reasonably practical. Loss Control Measures and Domino Theory Examples of loss control measures include Hazcom training, machine guards, and confined space programs. The Domino Theory states that all accidents are caused by a chain of events. Other Risk Management Concepts SWOT (Strengths, Weaknesses, Opportunities, and Threats) analysis is a way to evaluate risks, geared more toward business strategy in general. Job Safety Analysis (JSA) measures the inherent risk of each step in a work process and assigns risk levels to each step and ways to minimize the risk. Safety benchmarking is a technique for measuring a company's safety program to identify best practices. Risk Management Program Circumstances may require revision to a risk management program, such as new loss exposures or new developments in existing loss exposures. Risk Identification and Analysis Various tools and methods can be used to identify and analyze an organization's risks, including: o Loss histories o Checklists o Audits o Computer software o Team approaches o Flowcharts and organizational charts o Personal inspections o Company documents or records o Risk registers o Risk maps o Root cause analysis Risk Treatment Techniques The primary techniques for treating loss exposures are: o Avoid the risk o Modify the risk o Transfer the risk o Retain the risk Risk Control Techniques Risk control techniques aim to reduce the frequency or severity of a loss, including: o Avoiding a risk o Modifying a risk o Loss prevention techniques Risk Financing Techniques Risk financing techniques involve planning to pay for losses, including: o Retention (planning to generate funds to pay for losses) o Transfer (shifting financial responsibility for losses to another party through a contract) Selecting Risk Management Techniques The most appropriate risk management techniques are those that support and reinforce, rather than prevent or undermine, achievement of a personal objective. How Organizations Select Risk Management Treatments Organizations analyze their losses by frequency and severity. Severity is the amount of a loss, typically measured in dollars. Frequency is the number of losses that occur within a specified period. Personal and Advertising Injury Liability Loss Exposures Personal and advertising injuries can result from various offenses, including false arrest, wrongful eviction, slander, libel, invasion of privacy, and copyright infringement. Liability for personal and advertising injury is a commonly covered commercial loss exposure. Medical Payments Loss Exposures Medical payments coverage pays necessary medical expenses for anyone injured while on the insured's property or because of the insured's activities. Real Property (Realty) Real property includes land, structures permanently attached to the land, and whatever is growing on the land. Ethical Principles Ethical principles for risk management include: o Fair presentation o Confidentiality o Due professional care o Independence o Evidence-based approach o Risk-based approach Pure Risk Pure risk is a risk that presents the chance of loss but no opportunity for gain. Other Concepts Whole person theory is a method of evaluating a person's ability after an injury. Indemnity is the benefit associated with wage replacement. Wage loss theory is a method of evaluating a person's lost wages after an injury. A life care plan is a comprehensive report that identifies a person's medical condition and ongoing care requirements. Residual risk is the risk remaining after risk treatment. Retained risk is the risk that an organization chooses to retain. A Pareto analysis chart is used to rank items in order of severity or frequency. ISO 19011 outlines seven principles for auditing, including integrity, fair presentation, and confidentiality. Risk Management Risk: Uncertainty about whether a loss will occur, consisting of two key elements: uncertainty and loss. Risk Management: Process to best handle uncertainty about whether losses will occur, trying to decrease the frequency or severity of losses, and/or paying for those losses that occur despite an individual's or business' best efforts. Types of Risk Pure Risk: Can result only in a loss or no loss, presents no opportunity for gain. Example: owner of an apartment building faces the risk of a fire loss. Speculative Risk: Can result in loss, no loss, or gain. Must be managed differently than pure risk. Risk Management Frameworks Enterprise Risk Management (ERM): Emphasizes the interrelationship of risks from many different sources and a coordinated strategy to manage risks, and it assesses and treats risks to maximize value to the organization's stakeholders. Common Risk Frameworks: Risk IT Framework - ISACA, ISO31000, Enterprise Risk Management - Integrated Framework (COSO), Risk Management Framework (NIST) Risk Assessment Methods Qualitative Assessment: An asset valuation approach that uses categorical or non- numeric values rather than absolute numerical measures. Quantitative Method: Numerical based estimate on the historical occurrences of incidents and the likelihood of risk re-occurrence. Delphi Method: Qualitative assessment of risk involving questioning a panel of independent experts to obtain asset value forecasts. FMEA (Failure Modes and Effect Analysis): A method for identifying various possible outcomes. Risk Assessment Steps Identify the hazard or risk Decide or determine who could be affected Assess or evaluate how they might be affected Record the results or findings Review the results on a recurring basis Risk Management Guidelines Construct your risk management program around a process of analysis, prioritization, response, and monitoring and measuring. Integrate Risk Management into larger framework of governance, risk management, and compliance (GRC) to simplify and improve all three processes. Follow the phases of the Risk Analysis Process to identify the impact of risk to your organization. Comprehensively identify all your assets that are susceptible to risk. Place value on your assets using one or more valuation methods. Identify how each asset is vulnerable. Identify the threats to each vulnerable asset. Assess risk using Qualitative or Quantitative language, depending on the context of the risk and the business needs of your organization. Prioritize risks so larger risks are addressed more quickly and thoroughly than smaller ones. Respond to risk in different ways depending on context: avoid, mitigate, transfer, or accept risks. Risk Management Techniques Risk financing is handled by insurance, with insurance professionals suggesting appropriate limits, coverages, endorsements, and other options. Organizations analyze their losses by frequency and severity, where frequency is the number of losses that occur within a specified period, and severity is the amount of a loss, typically measured in dollars. Transfer of Risk A risk financing transfer shifts financial responsibility for losses from one party to another through a contract. Personal Umbrella Policy An umbrella policy provides an additional level of protection for large liability losses by adding to the liability limits above existing policies. It might also cover claims that underlying policies do not cover at all. Underwriting A personal umbrella policy requires a certain amount of underlying coverage, so one of the first things an underwriter does after receiving an application is to check whether the underlying requirements are met. Physical and Technical Controls Physical controls limit an individual's physical access to protected information or facilities, e.g., locks, doors, fences. Technical controls, also called logical controls, are implemented in the computing environment, e.g., in Operating Systems, application programs, database frameworks, firewalls. Types of Controls Directive Control specifies expected employee behavior and often takes the form of policies and guidelines. Deterrent Control discourages individuals from violating security policies because of the effort to circumvent it or the negative consequences of doing so. Preventative Control stops a security incident. Compensating Control is implemented when the system cannot provide protection required by policy in order to mitigate the risk down to an acceptable level. Detective Control alerts the security professional to the attempted security violation. Corrective Control responds to the security violation to reduce or completely eliminate the impact. Recovery Control is used to return the system to an operational state after a failure to protect the CIA triad. Consequences in Modern Management Theory Consequences must be positive or negative. Consequences must be immediate or future. Consequences must be certain or uncertain. Consequences must be a very powerful motivator. Risk Definition and Analysis Risk is defined as a combination of severity and probability. Risk remaining after risk treatment is termed Residual Risk. Residual risk can contain unidentified risk and can also be termed Retained Risk. Analysis Techniques Pareto analysis chart is used for ranking in the order of severity or frequency. Failure Modes and Effects Analysis (FMEA) or Failure Modes, Effects, and Criticality Analysis (FMECA) is a bottom-up system safety technique. Fault Tree Analysis (FTA) is used to evaluate a product's safety and can be used in conjunction with FMEA. Fault Hazard Analysis (FHA) follows an inductive reasoning approach to problem- solving. Common Cause Failure Analysis is used to evaluate multiple failures that may be caused by a single event or causal factor common to or shared by multiple components.