Risk assessments and risk reviews. Nothing remains constant indefinitely. You will be able to determine whether your control measures are effective by speaking with your employees and monitoring incident rates and control measures. Managers and staff must be given responsibility for overseeing the process and developing reporting procedures, as well as discussing and assisting in the implementation of solutions and monitoring their effectiveness.

Performing Risk Assessments And Risk Reviews

Typically, when performing a risk assessment and risk review, an organization follows a logical and sequential process. A common process involves the following five steps:

• Step 1: Risk Identification 
• Step 2: Impact and Likelihood Assessment
• Step 3: Risks Evaluation
• Step 4: Risk Ownership and Risk Mitigation
• Step 5: Risk Monitoring and Reporting

Step 1: Risk Identification

To perform the risk assessment, risks are required to be identified for all the processes and activities of the organization or a particular department. For example, to identify the risks of the finance department, the processes and activities of the finance department should be identified. Exemplary activities of the finance department may include:

• Recording of financial transactions;
• Maintaining bank accounts;
• Making payments to vendors; 
• Preparation of bank reconciliations;
• Preparation of financial statements; and
• Paying corporate taxes

To identify the risks related to the finance department, the mentioned activities are associated with particular risks that may occur in practice for a particular activity. Similarly, for all other departments of an organization, relevant processes and activities should be identified for performing a risk assessment.

Now, all identified risks are to be documented in the form of risk statements. Such risk statements are written logically and sequentially. The risk statements should be centrally recorded in a risk register or risk database. All risk statements should also be linked to a particular activity, process, or department. For example, risks related to the preparation of financial statements of a company must be linked with the financial reporting process being performed in the finance department, because the finance department is responsible for preparation of organization’s financial statements.

After documenting the process or activity-wise risk statements, each documented risk statement is categorized into an appropriate risk category. 

There are various types of risk categories such as:

• operational risk, 
• financial risk, 
• compliance risk, 
• reputational risk, 
• health and safety risk, 
• strategic risk, 
• credit risk, and
• market risk

Step 2: Impact And Likelihood Assessment

After identifying and documenting risks, an inherent risk assessment should be performed. During the performance of the inherent risk assessment, the so-called impact and likelihood assessment is performed for each risk. Hereby,

• the impact assessment requires assessing the magnitude of loss that a particular risk may raise for the department or organization; and
• the likelihood assessment involves assessing the probability of occurrence of each identified risk.  

Impact and likelihood assessments require assigning risk scores or levels for each risk to arrive at an overall inherent risk score.

Step 3: Risk Evaluation

Based on the inherent risk assessment performed for each risk, the risk evaluation is performed, which means to identify those risks found – critical or non-critical. Usually, the following levels are considered for evaluation of risks:

• High or critical-level risks
• Medium or non-critical-level risks
• Low or negligible-level risks 

Step 4: Risk Ownership And Risk Mitigation

Risks ownerships are defined and incorporated in the risk database. Risk owners may be the departments or individuals working in those departments. Assigning risk ownership helps in coordination with relevant departments and personnel for risks and controls feedback.

Risk owners are required to update their respective risk database or risk inventory, remain aware of their respective new and emerging risks, and be responsible for the application of internal controls to mitigate their risks.

Developing Risk Response and Assessing Control Activities

Another stage of the risk management process is risk handling. Management selects a series of actions to align risks with the organization’s risk appetite and risk-tolerance levels to reduce the potential financial impact of the risk should it occur and/or to reduce the expected frequency of its occurrence. Possible responses to risk include avoiding, accepting, reducing, or sharing the risks.

• Risk avoidance means the withdrawal from activities where additional risk handling is not cost-effective, and the returns are attractive.
• Risk acceptance describes the acceptance of risk where additional risk handling is not cost-effective, but the potential returns are attractive.
• Risk reduction involves activities and measures designed to reduce the probability of risk crystallizing and/or minimizing the severity of its impact should it crystallize. Exemplary measures include hedging, reinsurance, loss prevention, crisis management, business continuity planning, quality management, and others.
• Risk sharing relates to activities and measures designed to transfer to a third-party responsibility for managing risk and/or liability for the financial consequence of risk should it crystallize.

Following the defined roles and responsibilities, the operating departments are responsible for implementing enough risk handling to manage risks at an acceptable level. If necessary, guidance on the development and implementation of risk handling measures may be attained from a body responsible for risk such as a risk committee.

Step 5: Risk Monitoring And Reporting

There need to be adequate controls and ongoing monitoring mechanisms to enable timely notification of fundamental changes in risks or their handling measures. Since the internal and external environment within which the company operates is exposed to change continuously, the risk management process must remain sufficiently flexible to accommodate new situations as they arise. Risk responses that were once effective may become irrelevant. Control activities may become less effective or no longer be performed, and entity objectives may change. In the face of such changes, management needs to determine whether the functioning of the risk management framework continues to be effective.

Finally, risk reporting comprises the following elements:

• Department-specific description of key risks and opportunities;
• Risk rating based on the impact on occurrence and likelihood of occurrence;
• Description of key risk-handling measures including the impact of these handling measures; and
• Statement of materialized risks.

Final Thoughts

Risk assessments and risk reviews are essential processes in an organization to identify, evaluate, mitigate, and monitor various potential threats. These methods involve strategic procedures, ranging from risk identification linked to the organization’s activities, through an impact and likelihood assessment, to developing responses and assigning ownership. Notably, the implementation of control measures plays a pivotal role in mitigating these risks, requiring effective coordination between all departmental levels.

Managers and staff hold crucial responsibilities in this process, from overseeing the implementation of solutions to monitoring their effectiveness. Moreover, these procedures must not be seen as static, but instead as dynamic processes that adapt to the changing internal and external environment of the organization. Therefore, regular risk monitoring and reporting are imperative to ensure the continued effectiveness of these measures, thereby fortifying the organization’s resilience to potential threats.