6 Steps to a Good Risk Assessment Process
Effective enterprise risk management is becomingly increasingly important in today’s regulatory environment. Regulators and rating agencies expect that companies have a good understanding of their risk profiles and have implemented the appropriate governance structure to mitigate their risks.
Your industry is ever-changing, and it can be challenging for an organisation to have a complete understanding of the risks that can pose potential pitfalls to its operations.
Conducting a company risk assessment can allow an organisation to obtain a holistic view of the risks it faces, allowing management to identify these risks and capitalise on opportunities.
Identify Your Company’s Risks
Consider what you define risk to be.
- A standard definition of risk is any event that negatively influences your ability to achieve your business goals.
Risks affect a company’s ability to survive, successfully compete within the industry, and maintain its financial strength and positive public image as well as the overall quality of its products, services and people.
Think about risks from your point of view within the company, considering your group’s goals and objectives and ranges, such as
- “Natural Catastrophe Risk,” to operational risks such as “Outsourcing and Service Provider Risk.”
A good starting point is to look at your company’s presentation to your Regulators and other interested stakeholders
What other risks can you think of?
Create Your Company’s Risk Library
Once you have analysed your company’s risks, you should begin to establish a company risk library. The risk library provides a framework for the risk assessment process. It summarises and defines, in a common repository, those risks to which the company is exposed. The library helps to facilitate discussions of risks and their definitions, and it promotes both consistency and a culture of risk awareness.
Identify Your Risk Owners
For each of the risks within your risk library, you should identify the most appropriate person to monitor and manage those risks - in other words, the risk owner(s).
The risk owner is responsible for assessing risks and identifying associated controls. This role is also responsible for implementing and maintaining appropriate controls within its associated area of responsibility, and for reporting breaches of controls or risk appetite.
There can be more than one risk owner for each of the individual risks. For example, the risk owners of “Business Interruption/Disaster Recovery Risk” may include individuals from Finance, Human Resources and Business Unit managers.
Identify the Controls to Mitigate & Reduce Risks
Working with the risk owners, identify current controls that are in place to mitigate and/or reduce risk. For example, investment guidelines help to mitigate “Equity Risk.”
Each control should also be assigned an owner or responsible party.
This can be a functional responsibility instead of an individual or a specific person.
Assess Risk Potential and Impact
The company’s risk appetite is based on its own evaluation of the trade-off between risk and return. Assessing the financial impact and likelihood of risk can aid management in determining whether the company is operating within its stated risk appetite and should accept, reject or reduce risk. Working with the risk owners, evaluate each of the risks in the risk library, based on:
- Financial Impact or Significance - How big of an impact would this risk have if it were to occur? This impact should be considered, taking into account the mitigating impact of the risk controls and monitoring of risk controls.
- Likelihood - Consider how likely it is that this risk would actually occur after the mitigating effects of the risk controls. The evaluation of each risk can be on either a quantitative or qualitative basis, dependent on the availability of information or the confidence in the approach. For some risks, such as “Natural Catastrophe Risk,” the company may choose to use outputs from catastrophe models. For other risks, it makes more sense to develop a scenario-based approach for evaluation.
At this point you have:
- Created a risk library and identified risk owners
- Identified mitigating controls
- Evaluated each risk for financial impact and likelihood
The risk assessment is a living process and should be conducted on at least an annual basis, and certainly more frequently if there has been a substantial change in your company’s risk profile. Additionally, it is a valuable exercise to revisit the company risk library annually, as risks and definitions may develop and change from year to year.
Risk assessment allows management to assess the company’s risks and controls and devote resources where needed. Evaluating the financial impact and likelihood of each risk can be helpful when prioritising the company’s risks. Identifying risk and control owners helps to clarify roles and responsibilities in the company and promotes accountability. However, for the risk assessment process to be successful, you must consider what kind of reporting would speak to your management team.
A risk assessment is only as useful as how it is being used, and decisions are being made. The risk assessment process takes time to do well; therefore, you want to create output that is helpful to management.
The risk assessment process is ongoing and should be revised over time. It can take several iterations before you have a complete picture of your company’s risks and genuinely understand the controls and processes that mitigate them. The outcome of the process gives management and its employees a better understanding of the company risk profile and the importance of the control environment in mitigating risk.