A guide to risk management is an indispensable resource for understanding the intricacies of identifying, assessing, and mitigating risks, paving the way for strategic decision-making and robust organizational resilience.
Risk management practices in an organization revolve around the identification of inherent and emerging risks, assessment of identified risks, and taking appropriate measures to mitigate or manage the assessed risks, based on the significance and priority of risks.
A Guide to Risk Management: Risk Identification
The organization identifies a risk that impacts the performance of the strategy and business objectives. The organization identifies new, emerging, and changing risks to the achievement of the entity’s strategy and business objectives. It undertakes risk identification activities to first establish an inventory of risks and then to confirm existing risks as being still applicable and relevant. As enterprise risk management practices are progressively integrated, the knowledge and awareness of risks are kept up-to-date through normal day-to-day operations.
Some entities will supplement those activities from time to time to confirm the completeness of the risk inventory. How often an organization does this will depend on how quickly risks change or new risks emerge. Where risks are likely to take months or years to materialize, the frequency at which risk identification occurs will be less than where risks are less predictable or will occur at a greater speed.
New, emerging, and changing risks include those that:
- Arise from a change in business objectives (e.g., the entity adopts a new strategy supported by business objectives or amends an existing business objective).
- Arise from a change in a business context (e.g., changes in consumer preferences for environmentally friendly or organic products that have potentially adverse impacts on the sales of the company’s products).
- Pertain to a change in a business context that may not have been applied to the entity previously (e.g., a change in regulations that results in new obligations to the entity).
- Were previously unknown (e.g., the discovery of susceptibility to corrosion in raw materials used in the company’s manufacturing operations).
- Were previously identified but have since been altered due to a change in the business context, risk appetite, or supporting assumptions (e.g., a positive increase in the expected sales forecasts affecting production capacity).
Emerging risks arise when the business context changes and they may alter the entity’s risk profile in the future. Note that emerging risks may not be understood well enough to identify and initially assess accurately, and may warrant reidentification more frequently.
Additionally, organizations should communicate evolving information about emerging risks. Identifying, new and emerging risks, or changes in existing risks, allows the organization to look to the future and gives them time to assess the potential severity of the risks as well as to take advantage of these changes. In turn, having time to assess the risk allows the organization to anticipate the risk response, or to review the entity’s strategy and business objectives as necessary.
Some risks may remain unknown risks for which there was no reasonable expectation that the organization would consider during risk identification. These typically relate to changes in the business context. For example, the future actions or intentions of competitors are often unknown, but they may represent new risks to the performance of the entity.
Organizations want to identify those risks that are likely to disrupt operations and affect the reasonable expectation of achieving strategic and business objectives. Such risks represent a significant change in the risk profile and may be either specific events or evolving circumstances.
The following are some examples:
Emerging technology: Advances in technology that may affect the relevance and longevity of existing products and services.
Expanding the role of big data and data analytics: How organizations can effectively and efficiently access, transform, and analyse large volumes of structured and unstructured data sources.
Rise of virtual entities: The growing prominence of virtual entities that influence the supply, demand, and distribution channels of traditional market structures
Embedded in identifying risk is identifying opportunities. That is, sometimes opportunities emerge from risk. For example, changes in demographics and aging populations may be considered as both a risk to the current strategy of an entity and an opportunity to renew the workforce to better pursue growth.
Similarly, advances in technology may represent a risk to distribution and service models for retailers as well as an opportunity to change how retail customers obtain goods (e.g., through online service). Where opportunities are identified, they are communicated through the organization to be considered as part of setting strategy and business objectives.
A risk inventory is simply a listing of the risk the entity faces. Depending on the number of individual risks identified, organizations may structure the risk inventory by category to provide standard definitions for different risks. This allows similar risks to be grouped, such as financial risks, customer risks, or compliance (or more broadly, obligation) risks. Within each category, organizations may choose to further define risks into more detailed sub-categories. The risk inventory can be updated to reflect changes identified by management.
Because the impact of risks cannot be limited to specific levels or functions, identification activities should capture all risks, and regardless of where they are identified, all risks form part of the entity’s risk inventory. For example, an entity that identifies risks at the strategy level relating to board governance and achieving diversity targets must also consider these risks at a business objective level. Or an organization that identifies the risk of missing a customer billing deadline at a business objective level should consider the impact of that risk at the entity level.
To demonstrate that a comprehensive risk identification has been carried out, management will identify risks and opportunities across all functions and levels—those risks that are common across more than one function, as well as those that are unique to a particular product, service offering, jurisdiction, or other function.
A Guide to Risk Management: Risk Assessment
Risk assessment is performed by the organizations to understand the possible interrelation of risks with other risks and the potential of those risks to create operational and business disruptions. Risk analysis requires the assessment of risks considering different approaches such as qualitative, quantitative, or a combination of both. Risks identified and included in an entity’s risk inventory are analysed to understand the severity of each to the achievement of an entity’s strategy and business objectives. Risk analysis informs the selection of risk responses. Given the severity of the risks identified, management decides on the resources and capabilities to deploy for the risk to remain within the entity’s risk appetite.
The severity of a risk is analysed at multiple levels (across divisions, functions, and operating units) in line with the business objectives it may impact. It may be that risks assessed as important at the operating unit level, for example, may be less important at a division or entity level. At higher levels of the entity, risks are likely to have a greater impact on reputation, brand, and trustworthiness. Using standardized risk terminology and categories helps in the assessment of risks at all levels of the organization.
Qualitative assessment approaches, such as interviews, workshops, surveys, and benchmarking, are often used when it is neither practicable nor cost-effective to obtain sufficient data for quantification. Qualitative assessments are more efficient to complete; however, there are limitations in the ability to identify correlations or perform a cost-benefit analysis.
Quantitative assessment approaches, such as modeling, decision trees, Monte Carlo simulations, etc., allow for increased granularity and precision and support a cost-benefit analysis. Consequently, quantitative approaches are typically used in more complex and sophisticated activities to supplement qualitative techniques. Quantitative approaches include:
Probabilistic models (e.g., value at risk, cash flow at risk, operational loss distributions) that associate a range of events and the resulting impact with the likelihood of those events based on certain assumptions. Understanding how each risk factor could vary and impact cash flow, for example, allows management to better measure and manage the risk.
Non-probabilistic models (e.g., sensitivity analysis, scenario analysis) use subjective assumptions to estimate the impact of events without quantifying an associated likelihood on a business objective. For example, scenario analysis allows management to understand the impact on a business objective to increase profitability under different scenarios, such as a competitor releasing a new product, a disruption in the supply chain, or an increase in product costs.
Depending on how complex and mature the entity is, management may rely on a degree of judgment and expertise when conducting the modeling. Regardless of the approach used, any assumptions should be clearly stated.
The anticipated severity of risk may influence the type of approach used. In assessing risks that could have extreme impacts, management may use scenario analysis, but when assessing the effects of multiple events, management might find simulations more useful (e.g., stress testing). Conversely, high-frequency, low-impact risks may be more suited to data tracking and cognitive computing. To reach a consensus on the severity of risk, organizations may employ the same approach they used as part of risk identification.
Assessments may also be performed across the entity by different teams. In this case, the organization establishes an approach to review any differences in the assessment results. For example, if one team rates particular risks as “low,” but another team rates them as “medium,” management reviews the results to determine if there are inconsistencies in approach, assumptions, and perspectives of business objectives or risks.
Finally, part of risk assessment is seeking to understand the interdependencies that may exist between risks. Interdependencies can occur where multiple risks impact one business objective or where one risk triggers another. Risks can occur concurrently or sequentially. For example, for a technology innovator, the delay in launching new products results in a concurrent loss of market share and dilution of the entity’s brand value. How management understands interdependencies will be reflected in the assessment of severity.
A Guide to Risk Management: Risk Management
An organization follows the logical process of performing a risk assessment where inherent and residual risks assessments are performed, to assess the Impact and likelihood of identified risks.
Such processes are mentioned below involving five steps:
Step 1: Processes, Activities, and Risks Documentation
Step 2: Impact and Likelihood Assessment
Step 3: Risks Evaluation
Step 4: Controls Mapping and Mitigation Plan
Step 5: Risk Assessment Review
Step 1: Processes, Activities, and Risks Documentation:
To perform the risk assessment, risks are required to be identified for all the processes and activities of a department.
For example, to identify the risks of the finance department, first, the processes and activities of the finance department shall be identified, which may be as follows:
- Recording of financial transactions;
- Maintaining bank accounts;
- Making payments to vendors;
- Preparation of bank reconciliations;
- Preparation of financial statements;
- Paying organization taxes;
When identifying risks related to the finance department, all the above-mentioned processes and activities of finance departments must be known to be risk identifiers. Similarly, for all other departments of an organization relevant processes and activities are identified, to identify the risks and perform a risk assessment.
All identified risks are to be documented in the form of risk statements. Such risk statements are written logically and sequentially, in the risk register or risk database. All risk statements are to be linked with a particular activity, process, or department, such as risk related to the preparation of financial statements of a company must be linked with the financial reporting process being performed in the finance department because the finance department is responsible for preparation of organization’s financial statements.
After documenting the process or activity-wise risk statements, each documented risk statement is categorized into an appropriate risk category.
Different Types of Risks
There are various types of risk categories such as:
- operational risk,
- financial risk,
- compliance risk,
- reputational risk,
- health and safety risks,
- strategic risk,
- credit risk,
- market risk etc.
Step 2: Impact and Likelihood Assessment
After the identification of processes, activities, and documentation of identified risks, an inherent risk assessment is performed. During the performance of the inherent risk assessment, the “impact and likelihood” assessment is performed for each risk.
Impact assessment requires assessing the magnitude of loss which a particular risk may raise for the department or organization.
Likelihood assessment involves assessing the probability of occurrence of each identified risk.
Impact and likelihood assessment require assigning risk scores or levels for each risk to arrive at an overall inherent risk score.
Step 3: Risk Evaluation
Based on the inherent risk assessment performed for each risk, the risk evaluation is performed, which means identifying those risks which are found critical or non-critical. Usually, the following levels are considered for the evaluation of risks:
- High or Critical Level Risks
- Medium or Non-Critical Level Risks
- Low or Negligible Level Risks
Risk Ownership and Mitigation Plan
Risks ownerships are defined and incorporated into the risk database. Risk owners may be the departments or individuals working in those departments. Assigning risk ownership helps in coordination with relevant departments and personnel for risk and control feedback.
Risk owners are required to update their respective risk database or risk inventory, remain aware of their respective new and emerging risks, and be responsible for the application of internal controls to mitigate their risks.
Developing Risk Response and Assessing Control Activities
Another stage of the risk management process is risk handling. Management selects a series of actions to align risks with the organization’s risk appetite and risk tolerance levels to reduce the potential financial impact of the risk should it occur and/or to reduce the expected frequency of its occurrence. Possible responses to risk include avoiding, accepting, reducing, or sharing the risks.
- Risk avoidance
Withdrawal from activities where additional risk handling is not cost-effective and the returns are attractive about the risks faced.
- Risk acceptance
Acceptance of risk where additional risk handling is not cost-effective, but the potential returns are attractive about the risks faced.
- Risk reduction
Activities and measures designed to reduce the probability of risk crystallizing and/or minimize the severity of its impact should it crystallize (e.g., hedging, reinsurance, loss prevention, crisis management, business continuity planning, quality management).
- Risk sharing
Activities and measures are designed to transfer to a third-party responsibility for managing risk and/or liability for the financial consequence of risk should it crystallize.
Following the defined roles and responsibilities, the operating departments are responsible for implementing enough risk handling to manage risks at an acceptable level. If necessary, guidance on the development and implementation of risk-handling measures may be attained from the Risk Committee.
The successful management of organizational risk is critical for business sustainability and growth. It necessitates a comprehensive and ongoing approach that includes risk identification, assessment, and management across all facets of an organization. By maintaining a dynamic risk inventory, analyzing the potential impact and severity of identified risks, and implementing effective control measures, organizations can minimize disruptions, seize opportunities that arise from change, and ultimately ensure the achievement of their strategic and business objectives.