Do you know what risks your business is facing?
Chances are you’ve given a lot of thought to a few prominent ones: the loss of a big client, say, or a sharp rise in commodity prices. But without sounding too paranoid, risks that can cause harm—or offer opportunity—to your business are everywhere. Insurer Aon’s 2013 Global Risk Management Survey indicated that average, reported loss of income from the top 10 risks (ranging from the economic slowdown to political uncertainties) has increased 14 percent over two years prior to 2013, while reported readiness has dropped 7 percent to 59 percent.
A comprehensive risk assessment can reveal what risks your company is facing and how to deal with them. A recent study by the Institute of Internal Auditors (IIA) suggests that companies are taking a closer look at operational risk, noting that internal audit efforts are increasingly focused on those posed by processes, people, systems, and external events. Here are a few key principles to keep in mind when planning a risk assessment:
Assign accountability. Begin by establishing a cross-functional team tasked with implementing the risk assessment program. Members of this group should be capable of identifying potential risk events, rating them against the organization’s objectives, and determining adequate response. This team should also have the authority to oversee a bottom-up process of information-gathering related to individual risks and responses by those closest to them.
Define objectives. “The strategic objectives are the guide for everything associated with risk management,” says Joe Underwood, principal at Albert Risk Management Consulting. “There has to be recognition that risk is not necessarily bad. The goal for the company is determining what types are core to its strategy, and to achieve the optimal level of risk taking in support of those strategic objectives.”
Understanding the impact of risk, positive or negative, on objectives such as revenue growth, market share, or client satisfaction not only helps establish an assessment’s scope, but it also determines the way in which individual risks are rated. If, for example, you’re focused on operational efficiency, risks should be measured by their impact on that objective.
Devise a rating scale. Risks are rated in (at least) two dimensions: impact and probability. A simple ranking of low, medium, or high might be sufficient for your purposes, or you may require more detailed evaluation. Plotting various risks on these scales illustrates their severity relative to one another, resulting in a risk map or portfolio: The most severe risks would be both highly likely and highly consequential. At the other end of the grid would be unlikely, low-impact risks.
Build a risk portfolio. Once you’ve identified and rated the risks against each objective, the result is a comprehensive risk portfolio for the entire organization. But beware that you might have overlooked something. The Aon report indicates that respondents paid little attention to social media, ranked at 40, despite its potential risk to reputation. It may make sense to further group risks by root causes and/or functional areas to help with analysis. You can then determine how you’ll respond to each, whether by avoiding the most severe, sharing others (such as with insurance), and determining the degree of acceptance for everything else.
Implement response. “Risk assessment only adds value if actions result from the analysis,” Underwood says. “What you don’t want at the end of the process is a binder that just sits on a shelf. What I always try to do is make sure what we’re delivering is going to lead to some improvement.” With the risks laid out before the team, the next step is to prioritize, beginning with the low-hanging fruit, and then determining the best response for each.
Though each risk assessment has a discrete beginning and end, the process itself should be ongoing in order to succeed. New risks arise all the time, and old ones become less severe. Mechanisms such as trigger levels to raise potential issues or the analysis of leading indicators can provide early warning systems, while periodic audits make sure that controls put into place are having the proper effect. After all, you never know what might be around the next corner.