Internal Audit Indonesia's

Juli 15, 2010

Business Self-Assessment Methodology

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

Business Self-Assessment Overview
Four Components of Business Self-Assessment
Integrated Business Self-Assesment – Entity Level
Integrated Business Self-Assesment – Process Level
Key Definitions
Related Resources

Business Self-Assessment Methodology Overview

Business Self-Assessment is Protiviti’s dynamic self-assessment approach that leverages organizational knowledge to improve business performance at the entity or process level. Utilizing risk as its foundation, BSA uniquely integrates the assessment of strategic objectives, risks, controls and process-improvement opportunities.

Business Self-Assessment helps organizations improve business performance by enabling them to:

BSA focuses on Strategy, Risk, Control, and Process.

What is Self-Assessment?
Self-assessment is the process through which management, auditees or process owners assess the extent to which their current practices are sufficient and appropriate to achieve their strategic objectives.

Forms of Self-Assessment
Self-assessment, in general, can be executed in a number of ways including the following:

The Methodology
BSA is a Protiviti process that addresses strategy, risk, control and process. BSA is unique in comparison to Control Self-Assessment in that it utilizes a top-down approach beginning with an organization’s key strategies and the risks that may threaten the achievement of those strategies.

While BSA can be accomplished in a number of ways, our experience indicates that facilitated meetings with technology are the most effective. This technique uses effective facilitation of group discussions and real-time data collection and analysis to produce action-oriented results that can be used by an organization to improve business performance.

BSA is flexible. It must be tailored to each unique client environment and can be an integral part of an organization’s comprehensive risk-management process. Experience has shown that facilitated meetings using technology and integrating strategy, risk, control and process are the most effective means of assessing risk. The “right” choice depends on the client’s needs and business environment.

BSA is most effective when delivered by a team with knowledge of strategy, risk, control and process. The blend of required experience depends on the manner in which BSA is to be delivered. Strong facilitation skills and experience implementing the methodology are critical when BSA takes the form of a facilitated meeting.

BSA can be conducted through the execution of each component on a stand-alone basis or the integration of more than one component at either the entity or process level.

The four components of BSA are as follows:

Strategy Self-Assessment
The objective of strategy self-assessment is to understand, prioritize and reach consensus on strategic objectives for the company or a specific business process within the company. An understanding of key strategic objectives is critical to the successful implementation of Business Self-Assessment.

Risk Self-Assessment
The objective of risk self-assessment is to identify, prioritize, measure and source business risks within the company or a specific business process within the company. Business risk is the threat that an event, action or inaction will threaten the ability of a company or process to achieve its objectives and execute its strategies successfully.

Control Self-Assessment
The objective of control self-assessment is to evaluate the effectiveness of a business risk management process within a company or the internal controls within a specific business process. Controls are the policies and procedures that, when implemented effectively and efficiently, help minimize or reduce the impact of risk on a company or business process to an acceptable level.

Process Self-Assessment
The objective of process self-assessment is to enhance the performance of a specific business process within the company. Participant feedback and “best practices” may be used to identify and analyze performance gaps, source root causes and agree on next steps.

Click on any component to read the complete description:

Integrated Business Self-Assessment

Entry LevelINTEGRATED BUSINESS SELF-ASSESSMENT – Entity Level

The execution of Business Self-Assessment (BSA) at the entity level, in its fullest form, involves much more than one meeting or self-assessment session. It is a continuous self-assessment process that reflects the fact that organizations and their environments are dynamic which results in an ever-changing risk profile for the organization. Proper planning and effective facilitation skills are critical to the success of an individual self-assessment session (See more on proper planning and effective facilitation skills). A typical self-assessment session at the entity level ranges from 4 to 8 hours in length and includes strategy, risk and control self-assessment. Process self-assessment is not typically included in an entity level session. The execution of an entity level session also includes appropriate Introduction and Closing segments.

Strategy Self-Assessment

The objective of this component of an integrated self-assessment session is to ensure that there is a common understanding of the key strategies of the organization among session participants. The definition of Business Risk incorporates an organization’s strategic objectives and, as a result, it is important that all participants have a common understanding of the organization’s key strategies.

This common understanding can be accomplished by:

1. Researching the organization’s strategies in advance of the session and documenting the 3 or 4 key strategies on a flipchart/overhead slide for presentation to the group. This research can be accomplished through interviews, surveys or the review of organization’s documents. The facilitator would then ask the group “Does this accurately reflect the key strategies of your organization?”

2. Brainstorming the key strategies during the session. The facilitator will lead this activity and may include a prioritization of the strategies using the electronic voting technology. A rating scale or paired-comparison vote would be effective in this process.

Often, due to time constraints, it is beneficial to utilize the first method described above. Once there is a common understanding of the organization’s key strategies, it is a good idea to post the strategies in the meeting room for easy reference throughout the session.

Risk Self-Assessment

The objective of this component of an integrated self-assessment session is to identify, prioritize, measure and source business risks within the organization. Business risk is the threat that an event, action or inaction will adversely affect an organization’s ability to achieve its business objectives or execute its strategies successfully.

Risk self-assessment at the entity level entails a comprehensive look at those business risks that affect the organization as a whole. These risks are generally not specific to one business process but rather are applicable at the organization-wide level. Examples of entity level business risks include competitor risk, political risk and regulatory risk.

The risk self-assessment component of a self-assessment session includes the following phases:

  1. Identification / Creation of Risk Universe
  2. Prioritization of Identified Risks
  3. Sourcing of Risks

1. Identification / Creation of Risk Universe
The first phase of risk self-assessment at the entity level involves the identification of business risks applicable to the organization. This list of business risks is called the Risk Universe. It is important that participants fully understand the definition of business risk and that the facilitator continues to reinforce the relationship between strategies and risk. Brainstorming techniques are used by the facilitator to obtain participant ideas with respect to all of the business risks that may impact the organization. The Protiviti Risk Model is used as a framework for the risk identification process (See the Protiviti Risk Model). Once all of the participant ideas have been captured, risks are grouped into common risk areas in an attempt to produce a concise risk universe for voting purposes.

2. Prioritization of Identified Risks
During this phase of risk self-assessment at the entity level, risks are prioritized based on the following criteria:

  1. Significance: The impact that the event, action or inaction would have on the organization if it were to occur.
  2. Likelihood: The probability that the event of action would occur assuming no controls are in place to mitigate the risk.

Voting technology is typically used to capture responses from the session participants. (See Computer voting methods and tips) The output from this phase is a Risk Map that plots the risk universe in terms of their relative significance and likelihood. Other criteria that can be used to evaluate risk include manageability and tolerance.

3. Sourcing of Risks
During this phase of risk self-assessment at the entity level, risks are sourced to the business processes in which they reside. Typically, prior to the session, the process classification scheme has been tailored to reflect the key business processes in place within the organization. The facilitator then leads the participants through an exercise of allocating each risk to the business process(es) in which it resides. It is likely that a risk will reside in more than one process. For example, customer satisfaction risk typically resides in all business processes that have interaction with customers. For a manufacturing company, these processes might include ordering, shipping and delivery, and billing.

The objective of this phase is to identify those business processes that have an increased level of inherent risk. This information is particularly useful to the internal audit team since it can be used to focus internal audit effort on the business processes that contain increased risk. This process also helps to establish management buy-in regarding the business processes that will be audited since the risk information was provided by management.

During a self-assessment session, this phase is often executed after the completion of the control self-assessment component.

Control Self-Assessment

The objective of this component of an integrated self-assessment session is to assess whether risks are appropriately controlled within an organization. The business risks identified and prioritized during the earlier phases of the session are utilized during this phase. Participants are asked to evaluate the organization’s current level of control effectiveness over a particular risk compared to the significance of the risk. The output is a Control Map that visually depicts the voting results (See a sample Control Map). This Control Map assists in the identification of risk areas that are under-controlled, over-controlled, or appropriately controlled. Detailed discussions are typically lead by the facilitator regarding the results depicted in the Control Map.

Process Self-Assessment

The objective of process self-assessment is to enhance the performance of a specific business process within an organization. Participant feedback and “best practices” may be used to identify and analyze performance gaps, source root causes and agree on next steps. Because of the nature of process self-assessment, it is generally not performed at the entity level.

Integrated Business Self-Assessment

– Process Level

The execution of Business Self-Assessment (BSA) at the process level involves all four components of the BSA Methodology — strategy, risk, control and process. Proper planning and effective facilitation skills are critical to the success of a process level self-assessment session. A typical self-assessment session at the process level ranges from 4 to 8 hours and would include appropriate Introduction and Closing segments.

Strategy Self-Assessment

The objective of this component of an integrated self-assessment session is to ensure that there is a common understanding of the key objectives of the business process under review among session participants. The definition of Process Risk incorporates the key objectives of a process and, as a result, it is important that all participants have a common understanding of such objectives.

This common understanding can be accomplished by:

1. Researching the organization’s strategies in advance of the session and documenting the 3 or 4 key strategies on a flipchart/overhead slide for presentation to the group. This research can be accomplished through interviews, surveys or the review of organization’s documents. The facilitator would then ask the group “Does this accurately reflect the key strategies of your organization?”

2. Brainstorming the key strategies during the session. The facilitator will lead this activity and may include a prioritization of the strategies using the electronic voting technology. A rating scale or paired-comparison vote would be effective in this process.

Often, due to time constraints, it is beneficial to utilize the first method described above. Once there is a common understanding of the key objectives of the process, it is a good idea to post the objectives in the meeting room for easy reference throughout the session.

Risk Self-Assessment

The objective of this component of an integrated self-assessment session is to identify, prioritize and measure business risks within the business process under review. Process Risk is the threat that an event, action or inaction will adversely affect the ability of a process to achieve its objectives.

Risk self-assessment at the process level entails a comprehensive look at those risks that affect one specific process within an organization. These risks are not necessarily applicable to the organization as a whole but rather are specific to one business process. Examples of process level risks include data integrity risk, efficiency risk and performance gap risk.

The risk self-assessment component of a self-assessment session includes the following phases:

  1. Identification / Creation of Risk Universe
  2. Prioritization of Identified Risks


1. Identification / Creation of Risk Universe
The first phase of risk self-assessment at the process level involves the identification of risks applicable to the specific business process under review. This list of risks is called the Risk Universe. It is important that participants fully understand the definition of process risk and that the facilitator continue to reinforce the relationship between process objectives and risk. Brainstorming techniques are used by the facilitator to obtain participant ideas with respect to all of the risks that may impact the business process under review. The Protiviti Risk Model is used as a framework for the risk identification process. (See the
Protiviti Risk Model).Once all of the participant ideas have been captured, risks are grouped into common risk areas in an attempt to produce a concise risk universe for voting purposes.

2. Prioritization of Identified Risks
During this phase of risk self-assessment at the process level, risks are prioritized based on the following criteria:

  1. Significance: The impact that the event or action would have on the business process, if it were to occur.
  2. Likelihood: The probability that the event of action would occur assuming no controls are in place to mitigate the risk.

Voting technology is typically used to capture responses from the session participants (See Computer voting methods and tips). The output from this phase is a Risk Map that plots the risk universe in terms of their relative significance and likelihood. Other criteria that can be used to evaluate risk include manageability and tolerance.

Control Self-Assessment

The objective of this component of an integrated self-assessment session is to assess whether risks are appropriately controlled within the specific business process under review. The risks identified and prioritized during the earlier phases of the session are utilized during this phase. Participants are asked to evaluate the current level of control effectiveness over a particular risk within the business process compared to the significance of the risk. The output is a Control Map that visually depicts the voting results. (See a sample Control Map).This Control Map assists in the identification of risk areas that are under-controlled, over-controlled, or appropriately controlled. Detailed discussions are typically lead by the facilitator regarding the results depicted in the Control Map.

Alternatively, participants may be asked to vote on both the desired and current effectiveness of key controls. The resulting “gaps” are then discussed.

Process Self-Assessment

The objective of process self-assessment is to enhance the performance of a specific business process within an organization. Participant feedback and “best practices” may be used to identify and analyze performance gaps, source root causes and agree on next steps.

Process self-assessment entails a detailed examination of the primary components of one specific process within an organization. Key stakeholders and those involved in the process on a daily basis discuss potential performance gaps and ways to close them to enhance business performance. The gaps may be caused by an inefficient step in the process or a control that is not operating effectively or is inappropriate based on the risk level. Action plans that include timelines and responsibilities are developed to help ensure that issues identified during the self-assessment are addressed.

The process self-assessment component of a self-assessment session includes the following phases:

  1. Definition of Process
  2. Identification of Primary Components of Current Process
  3. Discussion of Opportunities to Improve the Process
  4. Discussion of Tactics to Improve the Process

Definition of Process
The first phase of process self-assessment at the process level involves the definition of the process. The process should be defined in terms of its primary function and the other process areas within the organization that it impacts.

Identification of Primary Components of Current Process
The next phase of process self-assessment involves the identification of the primary components of the process as its currently exists. The facilitator should remind participants to discuss the process as it exists rather than how it might exist in the future. Thoughts about improvements should be captured in the Parking Lot (See related documentation on creating a Parking lot). There are a number of ways to conduct this discussion:

  1. Option One: The process owner can prepare a flowchart or summary of the primary components of the process in advance of the meeting. The document can be distributed to participants and enlarged and posted in the room. The facilitator can lead a discussion of the process and make necessary changes directly to the enlarged document.
  2. Option Two: The facilitator can lead a discussion of the primary components of the process. After each participant has finished documenting the primary components (one on each post-it note), they can be collected and organized on wall charts. The steps can be organized based on the flow indicated by the participants.

Discussion of Opportunities to Improve the Process
The next phase of process self-assessment is to discuss opportunities to improve the process. Process components are discussed based on the following criteria:

  1. Importance – The relative importance of each process component to the successful execution of the process.
  2. Current Performance – The current performance of each component in the process.

Voting technology is typically used to capture responses from the session participants. The output from this phase is a Process Performance Map that plots the process steps in terms of their relative importance and current performance (See a Process Performance Map). Other criteria that can be used to evaluate a process include cost of implementation and willingness to change.

Discussion of Tactics to Achieve Strategic Objectives
During this phase of process self-assessment, participants begin to discuss potential performance gaps and ways to close them to enhance business performance. The gaps may be caused by an inefficient step in the process or a control that is not operating effectively or is inappropriate based on the risk level. It is often helpful to break the large group into smaller groups of 2 to 3 people for this activity; each small group can identify the tactics and then present them to the larger group for feedback. Once the tactics have been identified and agreed upon, the facilitator should lead participants through a process to assign responsibility and agree on the dates by which the tactics should be accomplished (See Action Planning Matrix). In most cases, one of the tactics will be to perform additional planning in a different forum, because it is likely that some of the individuals responsible for implementation may not be participants in the process self-assessment session.

Strategy Self-Assessment

Overview
The objective of strategy self-assessment is to understand, prioritize and reach consensus on strategic objectives for the company or a specific business process within the company. An understanding of key strategic objectives is critical to the successful implementation of Business Self-Assessment.

Entity Level Strategy Self-Assessment
Strategy self-assessment at the entity level entails a comprehensive look at the strategic objectives of the organization as a whole. These strategies are generally achieved through the collaboration of multiple process areas. Examples of entity level strategies include increasing earnings by an agreed upon percentage or amount, decreasing costs by an agreed upon percentage or amount, providing high-quality products or services that are competitively priced, or increasing customer satisfaction.

Strategy self-assessment at the entity level can either be conducted on an integrated basis with the other phases of Business Self-Assessment (BSA) or on a stand-alone basis. Strategy self-assessment is a recurring process of understanding, prioritizing and reaching consensus on strategic objectives to reflect the fact that organizational strategies change as the organization and environment in which it operates evolves.

The results of strategy self-assessment at the entity level can be used for various purposes. Results can be used to:

Process Level Strategy Self-Assessment
Strategy self-assessment at the process level entails a comprehensive look at the strategic objectives of one specific process within an organization. Although these strategies generally support those of the organization as a whole, they can be achieved by the process area without the involvement of other areas. Examples of process level strategies in the billing process include providing accurate invoices to customers in a timely manner and ensuring that process controls are operating effectively and efficiently to minimize risk to an acceptable level.

Although strategy self-assessment at the process level can be conducted on a stand-alone basis, it is typically conducted on an integrated basis with the other phases of Business Self-Assessment (BSA).

The results of strategy self-assessment at the process level can be used for various purposes. Results can be used to:

Risk Self-Assessment

Overview
The objective of risk self-assessment is to identify, prioritize, measure and source business risks within the company or a specific business process within the company. Business risk is the threat that an event, action or inaction will threaten the ability of a company or process to achieve its objectives and execute its strategies successfully.

Entity Level Risk Self-Assessment
Risk self-assessment at the entity level entails a comprehensive look at those business risks that affect the organization as a whole. These risks are generally not specific to one business process but rather are applicable at the organization-wide level. Examples of entity level business risks include competitor risk, political risk and regulatory risk.

Risk self-assessment at the entity level can either be conducted on an integrated basis with the other phases of Business Self-Assessment (BSA) or on a stand-alone basis. Risk self-assessment, in its fullest form, is much more than one meeting or session. It is a continuous process of identifying, prioritizing, measuring and sourcing risks to reflect the fact that organizations and their environment are dynamic with ever-changing risk profiles.

The results of risk self-assessment at the entity level can be used for various purposes. Results can be used to:


Process Level Risk Self-Assessment
Risk self-assessment at the process level entails a comprehensive look at those risks that affect one specific process within an organization. These risks are not necessarily applicable to the organization as a whole but rather are specific to one business process. Examples of process level risks include data integrity risk, efficiency risk and performance gap risk.

Risk self-assessment at the process level can either be conducted on an integrated basis with the other phases of Business Self-Assessment (BSA) or on a stand-alone basis.

The results of risk self-assessment at the process level can be used for various purposes. Results can be used to:

Control Self-Assessment

Overview
The objective of control self-assessment is to evaluate the effectiveness of a business risk management process within a company or the internal controls within a specific business process. Controls are the policies and procedures that, when implemented effectively and efficiently, help minimize or reduce the impact of risk on a company or business process to an acceptable level.

Entity Level Control Self-Assessment
Control self-assessment at the entity level entails a review of the business risk management processes in place within an organization that are designed to manage its business risks. The execution of control self-assessment at the entity level assumes that the business risks facing the organization have already been identified and prioritized as part of a risk self-assessment process or by some other means. Entity level control self-assessment results in enhanced risk control for entity level risks. Examples of entity level controls include determining risk tolerance, establishing policies and procedures to manage the risks, and measuring and monitoring the risks.

Control self-assessment at the entity level can either be conducted on an integrated basis with the other phases of Business Self-Assessment (BSA) or on a stand-alone basis. Control self-assessment, in its fullest form, is much more than one meeting or session. It is a continuous process of ensuring that a company’s business risk management process adequately mitigates its entity level risks. This continuous process reflects the fact that organizations and their environments are dynamic and control environments must be responsive to those changes.

The results of control self-assessment at the entity level can be used for various purposes. Results can be used to:


Process Level Control Self-Assessment
Control self-assessment at the process level entails a review of the internal controls in place within a specific business process of an organization. The execution of control self-assessment at the process level assumes that the risks within the business process have already been identified and prioritized as part of a risk self-assessment process or by some other means. Process level control self-assessment results in enhanced risk control within a particular business process. Examples of process level controls include reconciliation’s, approvals, passwords and segregation of duties.

Control self-assessment at the process level can either be conducted on an integrated basis with the other phases of Business Self-Assessment (BSA) or on a stand-alone basis.

The results of control self-assessment at the process level can be used for various purposes. Results can be used to:

Process Self-Assessment

Overview
The objective of process self-assessment is to enhance the performance of a specific business process within the company. Participant feedback and “best practices” may be used to identify and analyze performance gaps, source root causes and agree on next steps.

Entity Level Process Self-Assessment
Because of the nature of process self-assessment, it is generally not performed at the entity level.

Process Level Process Self-Assessment
Process self-assessment entails a detailed examination of the primary components of one specific process within an organization. Key stakeholders and those involved in the process on a daily basis discuss potential performance gaps and ways to close them to enhance business performance. The gaps may be caused by an inefficient step in the process or a control that is not operating effectively or is inappropriate based on the risk level. Action plans that include timelines and responsibilities are developed to help ensure that issues identified during the self-assessment are addressed.

Process self-assessment at the entity level can either be conducted on an integrated basis with the other phases of Business Self-Assessment (BSA) or on a stand-alone basis.

The results of process self-assessment can be used for various purposes. Results can be used to:

Key Definitions, Strategy Self-Assessment

Key Definitions, Risk Self-Assessment

Key Definitions, Control Self-Assessment

Key Definitions – Process Self-Assessment

Tinggalkan sebuah Komentar »

Belum ada komentar.

RSS feed for comments on this post. TrackBack URI

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

Buat situs web atau blog gratis di WordPress.com.

%d blogger menyukai ini: