To create and enhance value within an organization, management must view value as a function of risk and return. Since risk is such an integral aspect to the pursuit of value, an enterprise cannot fully avoid or eliminate risk. Instead, entities seek to manage risk exposures across the organization so that they incur only the right kinds of risk to effectively pursue their strategic goals. Risk assessment is so important to this process of achieving a company’s goals and objectives. Each risk assessment process is designed specifically for a given organization depending on its size, complexity, and geographic presence. The Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) developed an outline of the risk assessment process to assist organizations with the establishment of their own unique processes.
The Risk Assessment Process
The purpose of the risk assessment process is to assess the size and magnitude of risks, both individually and collectively, in order to focus management’s attention on the most vital threats and opportunities and to begin the preparation for risk response. This process is important because it enables management to measure and prioritize risks to ensure that they are appropriately managed within the company’s tolerance thresholds.
Following the identification of risks, the risk assessment process consists of four main steps:
- Develop assessment criteria.
A company must develop a common set of assessment criteria to be deployed across all business units and functions. Measurement of these risks begins with the development of an assessment scale. These scales usually rate risks in terms of likelihood and impact.
Likelihood represents the possibility that an event will occur and impact refers to the extent to which an event will affect the company. While these are characteristically the most common terms of a scale, some companies might choose to utilize a few additional factors. One of these factors is vulnerability which represents the susceptibility of the entity to a risk. Velocity is another common factor which ultimately refers to the speed at which it takes for a risk to manifest itself.
Typically, the more descriptive the scales, the more consistent their interpretation will be by management. When developing these scales and criteria, management must assess any inherent or residual risk. Inherent risk is a risk that a company faces in the absence of any management action; whereas residual risk is the risk that remains after responses are implemented.
- Assess risks.
Risk assessment is often performed as a two-stage process. First, there is an initial screening of the risks and opportunities using qualitative techniques, followed by quantitative evaluation of those risks. The qualitative assessment consists of assessing each risk and opportunity according to the descriptive scales. Some of the most common qualitative techniques are interviews, workshops, surveys, and benchmarking. The quantitative analysis on the other hand requires numerical values for impact and likelihood. Benchmarking and scenario analysis are two common examples of quantitative techniques.
- Assess risk interactions.
In order to assess a company’s portfolio risk, management must first understand the risks of individual elements plus their interactions due to the potential presence of mutually amplifying risks. A company may assess these interactions by grouping related risks into a broad risk area and then assign ownership for that area. Three main ways to capture these risk interactions are through risk interaction maps, correlation matrices, and bow-tie diagrams. Risk interaction maps are viewed as the simplest form of graphical representation for this process; however, a bow-tie diagram enables management to develop the full picture of a risk’s factors and consequences.
- Prioritize risks.
The resulting order is organized most simply through a hierarchy; however, another option is through a risk map. Risk maps are two-dimensional representations of impact plotted against likelihood. The most common way to prioritize these risks is by designating a risk level for each area such as high, medium, low, etc. After plotting the risks, they are then ranked from highest to lowest in terms of risk level.
In order for the risk assessment process to be effective, an organization must ensure it is performed by the right people with the right skills supported by the right technology. COSO’s Enterprise Risk Management – Integrated Framework emphasizes that for individuals to be able to perform their roles, they must assess and oversee these risks from a holistic perspective. Encompassing every risk and the overall portfolio enables an organization to effectively manage its risk exposures to determine the right kinds of risk a company must seek to achieve its strategic goals.