A risk assessment framework that allows organisations to capture their key risks. It is designed to be a working document that is part of the overall business performance management system.
The risk assessment framework
Key steps that should be completed
For each strategic objective (taken from, eg, a strategy map), potential risks are identified
This objective-by-objective approach ensures that all potential risk areas are discussed – both external and internal. Moreover, using the objectives that come from the strategy map also helps organisations to identify how potential risk areas might impact each other.
However, it is unlikely that all potential risks for each element are identified and prioritised straightaway. The risk log will usually grow over time as more potential risk areas are identified, although the importance of others might fall away as they are either mitigated or become less relevant over time.
Describe the essence of the particular potential risks in relation to each objective
Here, it is possible to give the risk a name, but more importantly to create a short narrative description of the type of risk.
Define the risk level
Here the likely consequences and potential impact of this risk are evaluated, were the risk to occur.
Define the likelihood level
Here, the likelihood that this risk might turn into a reality is evaluated. In addition, the likelihood is compared to the likelihood estimated at the last review cycle. This indicates whether the likelihood is increasing, staying the same, or decreasing.1
Ascribe an appropriate scoring system
a) the risk level (potential severity) of each risk (eg 1–5), the criteria for which may not necessarily be all financial ones, and
b) the likelihood level (probability of occurrence) of the risk (eg 1–5).
These two scores can then be multiplied to create the risk score. The rationale for this scoring system is not only to help identify management priorities but also to assess whether the likely severity of each risk has moved over time and whether the firm’s potential exposure to it has increased or diminished since the last review.
Assign responsibility (ownership)
For managing each defined risk and define a review frequency for re-evaluation of subsequent risk mitigation activities.
Capture required actions and progress on those actions
This ensures that the organisations captures the actions agreed to manage or mitigate those risks and keeps a log of progress.
The risk log
Completing the risk log is best done within a project team. Different sub-teams can be assigned to assess the risks of different elements of the business. This ensures that several people who are knowledgeable in the subject matter work together and come either to a unanimous or aggregate score.
Here, teamwork is important since this type of analysis can be highly subjective. That being the case, it is a good idea to ensure that the risk level and likelihood scores are not left to a single individual. Furthermore, it is important to document as much information and logic as possible for the awarded scores in the risk log so that these can be revisited at the next review.
For each area, additional data can be collected and referenced in the risk log. However, there is a real danger of making this an overly bureaucratic process, and that is why I advocate a relatively simplistic approach. The Pareto principle applies: 80% of the risk can be identified and assessed with 20% of the potential effort required to do it.
Actions resulting from risk analysis
Having identified the highest priority risks (with high risk level and high likelihood level), management actions can be taken to modify their consequences and potential impacts on the firm. Typical actions resulting from a risk analysis include:
- Development of contingency plans (especially for emergencies/crises – scenario planning techniques can assist this process)
- Buying insurance against occurrence
- Renegotiation of supplier contracts
- Introduction of (internal/external) compliance audits
- Introduction of new performance indicators to monitor emerging trends.
This does not mean that lower severity/likelihood risks can be ignored altogether; it is just that management is unlikely to be able to set in motion the corrective actions for large numbers of risks simultaneously.
However, if this is treated as part of an organisation-wide program, then actions on lower priority risks might – with appropriate guidance – be delegated to lower ranking managers. Otherwise, they will have to wait until the senior executives have first dealt with the highest priority risk category and that might mean that the firm is still exposed to some pretty substantial risks with which it is unready to cope.
Although organisations have always been exposed to risk (how else would the insurance industry have become so wealthy?), arguably they have never been so at risk.
Today, it is becoming increasingly common and necessary for organisations to appoint a senior risk manager. This is a post that often reports (in a communication sense, not a line management sense) to a non-executive director but where the incumbent needs to work closely with operational executives in far-flung parts of the organisation.
Introducing an evaluation methodology that is aligned with the corporate strategy and then conducting a fair assessment of the potential risks is the first step towards mitigating the likely impacts that those key risks could have on the organisation.
About the author
This article was written by Bernard Marr, Advanced Performance Institute
Further reading into risk assessments is available through the articles and eBooks below.
These resources are available to ICAEW members and ACA students.
Can't find what you're looking for?
The ICAEW Library can give you the right information from trustworthy, professional sources that aren't freely available online. Contact us for expert help with your enquiries and research.