This is Part 6 of my blog series: The Art & Science of Risk Management
Photo courtesy of Google
In my previous post, I mentioned that something as simple as a risk assessment will provide a level playing field for risks, across all business units or functions, in terms of measurement and reporting. Apart from understanding the risks faced by an organization, the risk assessment ultimately aims to assist in prioritizing the risks and therefore prioritizing the courses of action. The risk assessment may be applied to specific projects or across the whole business. It is therefore easy to see why the risk assessment is core to any enterprise risk management (ERM) framework.
The risk assessment should be conducted systematically, iteratively and collaboratively, drawing on the knowledge and views of stakeholders. It should use the best available information, supplemented by further enquiry as necessary. - ISO 31000
There are key steps to follow with any risk assessment and these are:
Establish the scope, context and criteria. The way we go about doing a risk assessment is important and should be tailored to the environment we are working in and to the needs of the organization. We may for example know in advance that certain types of risks are not relevant to the organization and therefore should not be addressed in the risk assessment. On the other hand, the company may have instructions to target specific risks. The culture of the organization must be understood in advance. It may be that employees are hesitant to communicate risks for fear of being reprimanded. Overall, we need to understand how the business is run. To help with this step, we may meet with the various heads of department to understand their business objectives. We may meet with senior stakeholders to understand the organization’s vision, objectives and risk appetite which needs to be clear at the outset. Remember, risk is deviation from an expected outcome toward an objective. We therefore need to know the expectations and objectives of the organization first before determining the risks.
Identify the key risks and controls. At the company I work for, we normally send out questionnaires to the relevant stakeholders. We ask these individuals to identify the key factors which are currently affecting their objectives, the key emerging factors which could affect their objectives in future as well as the opportunities which may arise and contribute positively toward their objectives. Once these individuals have filled in the questionnaire, we then meet them to get a better feel for what they have documented (they may be reluctant to thoroughly fill in the questionnaire anyway). On that note, I would like to stress that the risk manager must know everything about the business since the risk manager is one of the few employees who operates across all functions of the business. It is also impossible for us to identify risks if we don’t understand the business. Yes, apart from interviewing the relevant stakeholders, the risk manager’s input is also required in the risk identification process. During the risk identification process, it is necessary to characterize each risk in terms of the occurrence of a potential event, the sources of the event as well as the consequences. In addition, we note some points to consider so that any reader may understand the risk. Together this forms the risk description. During the risk identification process, it also important to know what controls are currently in place or will be in place. At the company I work for, we have a risk identification spreadsheet where in each row we have: a risk ID or label, the name of the department/function, the name of the person in charge, the risk description and then the controls description.
Evaluate the key risks and controls. We need to evaluate in order to prioritize. We recommend that we evaluate in terms of probability (or likelihood of occurrence) as well as severity (i.e. a measure of the financial and reputational consequences associated with each risk). An example of the values is presented below:
Photo courtesy of James Lam
Probability and severity are normally multiplied together to arrive at a final risk measure (with values ranging from 1 x 1 = 1 to 5 x 5 = 25). The risk management department may evaluate the risks or allow all relevant stakeholders to evaluate through a voting-style process. The advantage of allowing stakeholders to evaluate the risks is that it forces them to understand the risks faced by other business units or functions. This sharing of knowledge is what ERM is all about. However, the disadvantage is that stakeholders may vote to shift blame on others or vote to ensure that management will give them favour. A professional risk manager is trained to be objective so that if voting fails, he/she can step in to ensure a fair assessment. It is also important to evaluate controls to establish whether things need to be fixed or new controls should be built in. An example regarding evaluation may be viewed in the image below:
Photo courtesy of James LamAssimilate, prioritize and report. We want to assimilate the results of the risk assessment so that we may easily prioritize and report on the risks. The way we do the risk assessment will dictate the way we report. If we applied a voting-style process, we must report on the potential biases. At the company I work for, we normally split the results of the votes into groups (e.g. ground staff, management, Board members, etc) and compare them per risk. From the results, we should comfortably take out the top risks (which is normally between 10% and 25% of all the risks). We should also know where control weaknesses lie in each of these top risks. It will be these top risks that will be focussed on in the report – the rest are usually appendix items. Remember, graphics are great! Plot probability against severity and multiplication of these two (the risk measure) against controls. Ideally, we will report to all those who contributed to the assessment as well as senior management, committee and Board members.
Key to all of this is the following:
- The risk assessment is a living exercise, i.e. risks require ongoing monitoring and reporting. It also requires consistency over time.
- The risk assessment can’t be of value without the full support of senior management.
- The benefits of the risk assessment are usually not tangible so it is difficult to justify.
- Converting qualitative opinions into a quantitative evaluation is never an easy task.
- The risk assessment requires significant time and resources to be done properly.
Despite these issues, it is important to keep in mind the benefits of the risk assessment. These include:
- Enhanced awareness and transparency of the key risks facing the organization.
- Facilitated cross-functional learning and knowledge transfer for the participants.
- Improved risk analytics and quantification processes (by targeting these efforts on the most critical risks).
- Enhance Board and management reporting.
- Improved business performance through risk-based decision making.
So do your risk assessment!
Up Next – ERM Governance
Your Risk Connoisseur
J-MLN
As Industrial Engineer I may say it is really nice to read this type of post.