Organizational Risk Assessment — Performed the Right Way

Risk Assessment Defined

Risk assessment is the identification and analysis of relevant risks to achieving objectives and forming a basis for determining how the risk should be managed (accept, reject, share, reduce, etc.).

Every entity faces a variety of risks from both external and internal sources and each of these risks must be assessed. Risks affect each entity’s ability to survive; successfully compete within its industry; maintain its financial strength and positive public image; and maintain the overall quality of its products, services and people.

Businesses should perform a risk assessment before introducing new processes or activities, before introducing changes to existing processes or activities (such as changing equipment), or when the company identifies a new risk.

Preconditions to risk assessment establish objectives that are linked at different levels and are internally consistent. An organization must not only understand and deal with the risks it faces but also set objectives; integrate with sales; and perform production, marketing, financial and other activities so that it is operating correctly and efficiently. At that point, the entity must establish mechanisms to identify, analyze and manage the related risks.

There is no practical way to reduce risk to zero. Therefore, management must determine how much risk should be prudently accepted and strive to maintain risk within these levels. This acceptance is referred to as risk appetite.

Risks Categorized

There are several types of risks that an organization may face. While specific industries have their sets of risks, businesses of all kinds may face idiosyncratic risks that are unique to their organization. In general, however, organizational risks tend to fall into one of four categories as follows:

The Four Categories of Risk:

1. Strategic Risk: As an example, a competitor enters the market, posing a risk to a business’s market share of a product or service.
2. Compliance and Regulatory Risk: This risk may include the introduction of new rules or legislation that may negatively impact a business from carrying out its activities, thus compromising its revenue.
3. Financial Risk: As an example, a rise in interest rates increases the cost of debt or a currency rate change, affecting its ability to import or export goods and services.
4. Operational Risk: This risk includes a breakdown or theft of key equipment or the protection of data.

The goal of a risk assessment plan will vary across industries, but overall, it should help organizations prepare for and combat risk. Other tasks contributing to this goal include:

• Providing an analysis of possible threats
• Meeting legal requirements
• Developing awareness regarding hazards and risk
• Preventing injuries or illnesses
• Creating an accurate inventory of available assets
• Managing currency, interest rate and foreign exchange rate risk
• Assessing concentration risk (customer and supply chain)
• Avoiding key-man risk
• Formulating a budget to remediate risks
• Justifying the costs of managing risks
• Understanding the return on investment

The Risk Assessment Steps

The steps used in risk assessment form an integral part of an organization’s risk management plan and ensure that the organization is prepared to handle any risk. The three main steps of risk assessment should be carried out in an organized, systematized and logical way. They are as follows:

Step 1: Objective Setting

Objective setting is a key part of the management process. Objectives must be set before management can identify risk achievements and take the necessary actions to manage the risk. Objectives are considered a prerequisite to and enabler of internal controls — not an internal controls component. Thus, they must be explicitly stated to continue a past level of performance. At the entity level, objectives are often represented by the entity’s mission and value statements, while the entity’s strengths, weaknesses, opportunities and threats (SWOT) can lead to an overall strategy.

Entity-level objectives are linked and integrated with more specific objectives established for defined “activities,” — sales, production and engineering — making sure they are consistent. These subobjectives, including established goals, may deal with the product line, market, financing and profit objectives. Critical success factors exist not only for the entity but for business units, functions, departments and individuals. Thus, objective setting enables management to identify measurement criteria for performance with a focus on critical success factors. Categories of objectives include:

1. Operations: This relates to the achievement of an entity’s basic mission — the fundamental reason for its existence.
2. Reporting: This pertains to internal and external; financial and nonfinancial reporting; and may encompass reliability, timeliness, transparency or other terms set forth by regulators, recognized standard-setters or the entity’s policies.
3. Compliance: The entity must conduct its activities, and often take specific actions, in accordance with applicable laws and regulations.

An organization should not look at these objectives in silos because an objective in one category may overlap or support an objective in another. Furthermore, the category in which an objective falls can sometimes depend on circumstances.

Step 2: Risk Identification

An entity’s performance can be at risk due to internal or external factors. Regardless of whether an objective is stated or implied, an entity’s risk assessment process should consider potential risks. Risk identification should be comprehensive and should consider all significant interactions between an entity and relevant external parties. Risk identification is an interactive process and is often integrated with the planning process; thus it’s useful to consider risk from a “clean sheet of paper” approach and not merely relate the risk to the previous review.

Step 3: Risk Analysis

Once risk has been identified, it must be analyzed in terms of estimating its significance and the likelihood (or frequency) of the risk occurring. How the risk should be managed is considered with an assessment of what actions should occur (accept, reject, share, reduce). As there are numerous methods for estimating the cost of a loss from an identified risk, management should be aware of them and apply them as appropriate. Actions that can be taken to reduce the significance or likelihood of the risk occurring include a myriad of decisions management may make every day. Management must recognize that it is likely some level of residual risk will always exist, either because resources are always limited, and/or other limitations are inherent in every internal control system. Finally, organizations should be open to and expect change to mitigate and manage risk.

Tools in the Risk Assessment Process 

There are several risk assessment tools available for organizations. One tool to help organizations provide timely and accurate risk identification and assessment is a risk and control self-assessment (RCSA). The level of organizational resources required to complete an RCSA and effectively apply the results in a timely manner may, nevertheless, be considerably complex, arduous or costly for many organizations to implement and/or utilize. Furthermore, leadership often finds it difficult to define roles and carve out the necessary time for this intricate and comprehensive process. They may find that RCSA workshops are unproductive while the processes, controls and technology are continuously changing and documentation becomes outdated. Yet there are ways to take on these challenges through the identification of practical and effective changes that an organization can implement, with minimal cost and disruption, allowing for the RSCA program to successfully do what it was intended for. This process can be accomplished in a period of six to 12 months and with favorable results. Examples include:

• Rationalizing and optimizing controls
• Improving coverage and the integration of regulatory compliance and technology risk
• Simplifying taxonomies
• Incorporating relevant data points

Beyond these relatively simple changes, organizations should consider embracing new technology, such as data analytics tools, predictive capabilities, chatbots, artificial intelligence and automated assistants, to deliver more timely, actionable and forward-looking results. Competitive advantage will be on the side of organizations capable of using risk and control data, particularly RCSA results, to make risk-informed, faster and smarter decisions.

Getting Specific

Here are some risk assessment tools you can download on KnowledgeLeader:

• A risk assessment questionnaire with instructions for completion, information and reference materials, a risk model, rating guidance and risk definitions. The questionnaire collects responses for risk assessment as preparation for annual budgeting and business planning efforts. It includes functional goals, top three to five risks in functional areas, companywide top three to five risks, quantitative risk ratings and an internal audit section
• Policy and procedure samples, such as an IT Assessment Policy, which provides a standardized approach and operating instructions for the execution of a company’s IT risk assessment
• Risk Assessment Audit Report, including two sample audit reports, that outline steps an audit department should take when conducting a risk assessment, and a guide used by auditors to understand their risk assessment processes

In addition to the above examples, KnowledgeLeader provides risk assessment templates, articles, booklets and discussion points that are applicable, timely and insightful. It’s never too early to start or update a risk assessment within an organization. The process may seem daunting at first but with the right tools and resources, an organization will be well on its way to getting there.