Not All Internal Control Risks Should Be Mitigated

In a previous blog, we discussed internal risk control assessment and introduced a comprehensive risk assessment tool, the Risk Control Matrices (RCM). This blog will address the risk assessment scales and options to respond to risks.

Risk Assessment Scales

Let’s discuss the risk assessment scales first. Most organizations define scales for rating risks in terms of impact, likelihood, materiality and other dimensions.

  • Impact refers to the extent to which a risk event might affect the organization. For example, an organization faces a legal suit that may cause extreme harm on the organization’s reputation. In this case, management might scale the risk of the legal suit as extreme or high.
  • Likelihood represents the possibility that a given event will occur. Likelihood can be expressed using qualitative terms (frequent, likely, possible, unlikely, rare), as a percent of probability, or as a frequency. For example, if an organization has low turnover and the risk of turnover increase during the year-end is unlikely, then the resulting likelihood would be low.
  • Materiality is a fundamental principle of financial reporting and refers to the significance of transactions, balances and errors contained in the financial statements. Materiality refers to the magnitude of an omission or misstatement relative to net income, fixed assets, equity and other account information. Materiality is a relative term to the size and particular circumstance of individual organizations. For example, a small organization may define $10,000 as material and a larger organization may define $1 million as material. If management of an organization defines materiality as over $1 million and the organization now faces a potential financial loss up to $3 million, management scales the risk of potential financial loss as high.

Some organizations use other dimensions, such as vulnerability or velocity, but the three scales above are common risk assessment scales used by most organizations. The combination of two of them or all of them is usually used to scale risks. For example, a risk of financial loss up to $X million may have a significant impact but the likelihood that the financial loss occurs is rare, so the risk may actually be evaluated as low. In the risk assessment tool, the RCM, we scale risks by high, medium or low using the combination of impact, likelihood and materiality.

Options to Respond to Risks

After understanding risk scales, we need to determine how to deal with identified risks. As management, when you see a list of internal control risks in front of you, you might wonder if you should mitigate all risks. The answer is NO, not always. Not all internal control risks should be mitigated and there are other options you can take to respond to risks.

  1. Accept the risk: As management, you can choose to accept risks without engaging any efforts to mitigate them. This decision is made only after deliberate consideration. Management has acknowledged a risk and understands the impact but decides to accept the risk. For example, an internal control may word "check payments received by mail or in person are date stamped, endorsed and logged by someone outside of the Accounts Receivable (A/R) department and then forwarded to A/R." Assuming an organization does not have this control in place, the risk of embezzlement of checks exists. But management may decide to accept the risk because the vast majority of customer payments are received via lockbox and wire so there is limited exposure with physical checks. Sometimes, management decides to accept risks because management is not able to mitigate the risks due to some difficulties, such as geographical difficulties or technical difficulties.
  2. Avoid the risk: Management can choose to avoid risks by adjusting the business programs to reduce the risks. The adjustment could involve personnel changes, business process changes or technical changes. A familiar example is an ERP system implementation. Assume that an organization is using an Accounts Payable system with a separate procurement system. To avoid risks associated with dispirit systems such as use of unauthorized vendors, purchases made without purchase orders, etc., the organization may decide to implement an ERP system.
  3. Transfer the risk: Risk transfer refers to transferring known risks from one party to another and usually involves risks that exist in a narrow specialized area. A classic example is the purchase of an insurance policy, by which a specified risk of loss is passed from the policyholder to the insurer. Risk transfer also refers to reassigning organizational responsibilities and accountabilities. For example, an organization transfers one business function from one office location to another due to the location convenience, and therefore reassigns responsibilities and transfers risks. Please note that risk transfer does not mean that the risk simply disappears. The risk still exists but the party to carry the risk changes or the risk may be reduced to an acceptable level because of the transfer.
  4. Watch (Wait/Monitor) the risk: Sometimes, management identifies a risk but after consideration, decides to monitor the development of the risk before taking any action. Watch refers to the process that monitors risks for the development prior to taking proper actions. It usually occurs when a risk recently appears and management does not have enough data or information to understand the impact and consequence of the risk. An example is a bug found in an information system and management does not have enough data or information to decide if a patch will be sufficient or the underlying codes need to be rewritten.
  5. Ignore the risk: Management can choose to ignore some risks. Usually, the ignored risks are very low and do not have significant business impact. For example, a paper cut is a risk occurring in offices every day, but the risk is ignored.
  6. Mitigate the risk: Risk mitigation is defined as engaging efforts and taking actions to reduce the extent of exposure to a risk and/or the likelihood of its occurrence. An example is to implement new internal controls to reduce existing risks.

Management could adopt different risk responses based on their individual circumstances. No matter what responses management acts upon, a risk assessment with proper documentation is needed to explain management’s decisions. Of course, the most familiar response to risks is to mitigate or control them. Please click the button below to obtain the download the 9 Steps to Mitigate Internal Control Risks and let us know your comments and questions.


Emma Zhang is an experienced audit professional, with more than six years of internal audit & Sarbanes Oxley (SOX) compliance focusing on operations, accounting, internal controls and process improvement. Competencies include operational auditing, accounting, management consulting, Sarbanes Oxley (SOX) compliance, audit planning and risk assessments, operational/financial planning and analysis, and data analysis. Emma is a resourceful, creative thinker and analytical problem solver with demonstrated ability to independently manage tasks from planning through execution in dynamic, fast-paced, and time-sensitive environments. Emma is a CPA with a CFE certificate. Emma is also a Blackline Certified Implementation Professional and helps clients to implement Blackline system.