What is risk analysis? Organizations can perform risk analysis to understand the possible interrelation of risks with other risks and the potential of those risks to create operational and business disruptions. Risk analysis requires the assessment of risks considering different approaches such as qualitative, quantitative, or a combination of both. Risks identified and included in an entity’s risk inventory are analyzed to understand the severity of each to the achievement of an entity’s strategy and business objectives.
Risk Analysis
Risk analysis informs the selection of risk responses. Given the severity of risks identified, management decides on the resources and capabilities to deploy for the risk to remain within the entity’s risk appetite.
The severity of a risk is analyzed at multiple levels (across divisions, functions, and operating units) in line with the business objectives it may impact. It may be that risks assessed as important at the operating unit level, for example, may be less important at a division or entity level. At higher levels of the entity, risks are likely to have a greater impact on reputation, brand, and trustworthiness. Using standardized risk terminology and categories helps assess risks at all levels of the organization.
Qualitative assessment approaches, such as interviews, workshops, surveys, and benchmarking, are often used when it is neither practicable nor cost-effective to obtain sufficient data for quantification. This type of assessment is more efficient to complete; however, there are limitations in the ability to identify correlations or perform a cost-benefit analysis.
However, quantitative assessment approaches, such as modeling, decision trees, Monte Carlo simulations, among others, allow for increased granularity and precision and support a cost-benefit analysis. Consequently, quantitative approaches are typically used in complex and sophisticated activities to supplement qualitative technique
Examples Of Quantitative Approach
An example of a quantitative approach includes probability models, such as value at risk, cash flow at risk, and operational loss distributions) that associate a range of events and the resulting impact with the likelihood of those events based on certain assumptions. Understanding how each risk factor could vary and impact cash flow, for example, allows management to better measure and manage the risk.
Another example are non-probabilistic models (e.g., sensitivity analysis, scenario analysis) use subjective assumptions to estimate the impact of events without quantifying an associated likelihood on a business objective. For example, scenario analysis allows management to understand the impact on a business objective to increase profitability under different scenarios, such as a competitor releasing a new product, a disruption in the supply chain, or an increase in product costs…
Depending on how complex and mature the entity is, management may rely on particular judgment and expertise when conducting the modeling. Regardless of the approach used, any assumptions should be clearly stated.
When anticipated severity of risk may influence the type of approach used. In assessing risks that could have extreme impacts, management may use scenario analysis. Still, when assessing the effects of multiple events, management might find simulations more useful (for example, stress testing). Conversely, high-frequency, low-impact risks may be more suited to data tracking and cognitive computing. To reach a consensus on the severity of risk, organizations may employ the same approach they used as part of risk identification.
Assessments may also be performed across the entity by different teams. In this case, the organization establishes an approach to review any differences in the assessment results. For example, if one team rates particular risks as “low,” but another team rates them as “medium,” management reviews the results to determine if there are inconsistencies in approach, assumptions, and perspectives of business objectives or risks.
Finally, understanding the interdependencies that may exist between risks is a component of risk assessment. Interdependence can emerge when numerous risks influence the same business aim or when one risk causes another. Risks might arise simultaneously or sequentially. For a technological developer, for example, a delay in introducing new goods leads to a loss of market share and lessening the entity’s brand value. Management’s understanding of interdependence will be reflected in the severity assessment.
Inherent And Residual Risks Assessments
An organization follows the logical process of performing a risk assessment where inherent and residual risks assessments are performed, to assess the impact and likelihood of identified risks. Such processes are mentioned below involving five steps:
- Step 1: Processes, Activities, and Risks Documentation
- Step 2: Impact and Likelihood Assessment
- Step 3: Risks Evaluation
- Step 4: Controls Mapping and Mitigation Plan
- Step 5: Risk Assessment Review
Step 1: Processes, Activities, and Risks Documentation
To perform the risk assessment, risks are required to be identified for all the processes and activities of a department. For example, to identify the risks of the finance department, first, the processes and activities of the finance department shall be identified, which may include recording of financial transactions; maintaining bank accounts; making payments to vendors; preparing bank reconciliations; preparing financial statements; and paying organization taxes.
When identifying risks related to the finance department, all the earlier mentioned processes and activities of finance departments must be known to be risk identifiers. Similarly, for all other departments of an organization, including relevant processes and activities are identified, to identify the risks and perform a risk assessment.
All identified risks should be documented in the form of risk statements. Such risk statements are written logically and sequentially, in the risk register or risk database. All risk statements are to be linked with a particular activity, process, or department, such as risk related to the preparation of financial statements of a company must be linked with the financial reporting process being performed in the finance department, because the finance department is responsible for preparation of organization’s financial statements.
After documenting the process or activity-wise risk statements, each documented risk statement is categorized into an appropriate risk category.
Different Types of Risks: There are various types of risk categories, including: operational, Financial, Compliance, Reputational, Health and safety, Strategic, Credit, Market risk.
Step 2: Impact and Likelihood Assessment
After the identification of processes, activities, and documentation of identified risks, an inherent risk assessment is performed. During the performance of the inherent risk assessment, the “impact and likelihood” assessment is performed for each risk.
Impact assessment requires assessing the magnitude of loss which a particular risk may raise for the department or organization.
Likelihood assessment involves assessing the probability of occurrence of each identified risk.
Impact and likelihood assessment require assigning risk scores or levels for each risk to arrive at an overall inherent risk score.
Step 3: Risk Evaluation
Based on the inherent risk assessment performed for each risk, the risk evaluation is performed, which means to identify those risks which are found critical or non-critical. Usually, High or Critical Level Risks, Medium or Non-Critical Level Risks, and Low or Negligible Level Risks are considered for evaluation of risks.
Risk Ownerships and Mitigation Plan.
Risk ownerships are defined and entered into the risk database. Departments or people working in certain departments may be risk owners. Assigning risk ownership aids in risk and control feedback coordination with relevant departments and employees.
Risk owners must keep their risk database or risk inventory up to date, be aware of new and developing risks, and be accountable for the implementation of internal controls to minimize their risks.
Developing Risk Response and Assessing Control Activities.
Another stage of the risk management process is risk handling. Management selects a series of actions to align risks with the organization’s risk appetite and risk tolerance levels to reduce the potential financial impact of the risk should it occur and/or to reduce the expected frequency of its occurrence. Possible responses to risk include avoiding, accepting, reducing, or sharing the risks.
Types Of Risk Response
Risk avoidance, withdrawal from activities where additional risk handling is not cost-effective and the returns are attractive about the risks faced.
Risk acceptance, accepting risk where additional risk handling is not cost-effective, but the potential returns are attractive about the risks faced.
Risk reduction, which concerns activities and measures designed to reduce the probability of risk crystallizing and/or minimize the severity of its impact should it crystallize (e.g., hedging, reinsurance, loss prevention, crisis management, business continuity planning, quality management).
Risk sharing, which concerns activities and measures designed to transfer to a third-party responsibility for managing risk and/or liability for the financial consequence of risk should it crystallize.
Following the defined roles and responsibilities, the operating departments are responsible for implementing enough risk handling to manage risks at an acceptable level. If necessary, guidance on the development and implementation of risk handling measures may be attained from the Risk Committee.
Adequate controls and ongoing monitoring systems should be in place to enable prompt notice of fundamental changes in risks or risk management strategies. Because the internal and external contexts in which the organization works are always changing, the risk management approach must be agile enough to accommodate new scenarios as they emerge. Previous effective risk responses may become obsolete, control activities may become less effective or cease to exist, or entity objectives may change. In the face of such developments, management must determine if the risk management system is still operationally effective.
Risk reporting is comprised of department-specific description of key risks and opportunities; risk rating based on the impact on occurrence and likelihood of occurrence; the description of key risk handling measures including the impact of these handling measures; and a statement of materialized risks.
Final Thoughts
The process of identifying and analyzing potential issues that could have a negative impact on key business initiatives or projects is known as risk analysis. This procedure is carried out to assist organizations in avoiding or mitigating risks.
A risk analysis includes considering the possibility of adverse events caused by natural processes such as severe storms, earthquakes, or floods, as well as adverse events caused by malicious or inadvertent human activity. Identifying the potential for harm from these events, as well as the likelihood that they will occur, is an important part of risk analysis.
