Risk management is a basic component of everything we do. Subconsciously, we assess and manage risk with each decision we make—from getting up in the morning to going back to sleep. So, in a way, most of us are already seasoned risk managers. Yet many find organizational risk management to be an overwhelming task. Managing your organization’s risks is not and does not need to be a complicated exercise.
Over my career, I have implemented and reviewed the successful execution of risk management at Fortune 1000 and 500 corporations, government entities, and small businesses who were formalizing their risk management process for the first time. This blog post offers simple steps that you can follow to help your organization effectively and efficiently assess and manage its risks. This approach can be successfully adapted and applied to any entity.
Understanding Why Your Organization is Taking Risks
Understanding an organization’s mission and objectives is critical to having an effective risk management program. These not only tell you what the organization wants to accomplish, but also why it is willing to take risks to do so. These serve as the backdrop and provide context for an enterprise to assess and manage risk.
Every organization seeks to create value. While it can take many different forms, value is a function of risk and reward. Companies must take risks to generate value. It is often said that the greater the risk, the greater the reward. This statement is false. Continually taking excessive risks will almost certainly lead to huge losses. However, it is impossible to eliminate risk entirely. Organizational risk management is the discipline employed to help an organization to operate at a risk level that allows it to maximize its value creation.
The Committee of Sponsoring Organizations (COSO) defines enterprise risk management as a “process . . . designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Based on this definition, it is impossible to manage risk without knowing an enterprise’s actual goals. Yet I have seen organizations where risk management activities are performed without consideration of their goals or objectives.
Identifying Risks in Your Organizational Structure
Once it has clearly defined its mission and goals, an organization is ready to prepare for a risk assessment by performing a risk identification exercise. It is important at this phase to have a risk management organizational structure that is robust enough to obtain adequate coverage and input from across the entity during the process. The worst-case scenario for identifying risks for a large enterprise is having the few individuals tasked with risk management, internal audit, or compliance duties perform this process without input from the business.
The goal and product of this exercise is to create a comprehensive list of risks for the entire organization. This is most effective and accurate when personnel from different units and with various levels of supervisory responsibility are involved. Be sure to include the potential for fraud and misconduct as specific areas of consideration in this step. The risks identified are commonly grouped by risk type (e.g., operational, environmental, strategic, financial, etc.) for reporting purposes.
Organizational Risk Assessment
When a comprehensive list of risks has been prepared, an entity is ready to perform a risk assessment. People call these many different names such as a company risk assessment or internal control risk assessment. Organizations may perform assessments for specific areas of risk such as data risk management or IT security. No matter the size of the organization or the scope of the assessment the following are three key components of a risk assessment:
- Develop Assessment Criteria,
- Assess Risks, and
- Prioritize Risks.
Assessment criteria is developed prior to assessing the identified risk to ensure that participants assessing and prioritizing risks are using same basis to do so. The likelihood and impact of certain risks are the most common attributes used to assess risks. Assuming that each participant could assess the likelihood and impact of a control as high, medium, or low; the criteria would specify ranges that each rating would cover. For example, the criteria may define a low likelihood rating as the risk is not likely to occur in the next year, whereas a medium is likely to occur in the next 6-12 months, and a high is likely to occur in the next six months. Without defined criteria, ratings would be difficult to interpret across a number of participants.
Another component that should be defined in the assessment criteria is whether risks are to be rated based on inherent or residual risk. Inherent risk would require participants to assess the risk with the assumption that no controls are in place. Using residual risk would assess the risk that is left after all of the controls the entity has put in place. My experience has found using residual risk to be the simplest approach.
The process for assessing risks is where participants actually rate each risk based on the assessment criteria. For larger enterprises, this may be iterative process where you might have a large group of lower or middle-level managers assess the risks first and then provide a subset of risks based on their input to a senior managers or executive leadership to assess the risk. A smaller business may be do its risk assessment in one round or workshop with its leadership. Risk assessments can be conducted in a variety of ways such as online surveys, person interviews, group workshops, or benchmarking. The result of this process is a risk rating for each risk typically based on the average likelihood and impact.
While all risks are prioritized based on their risk rating from the risk assessment, risk prioritization is a subsequent process to determine risk management priorities by comparing the level of risk against predetermined risk levels and tolerance thresholds. The view of risk is expanded from terms of financial impact and probability to include subjective criteria such as health and safety impact, reputational impact, vulnerability, and other qualitative factors. This is an activity that should be performed with executives and members of the board who have oversight for the company. Certain controls with lower risk ratings may be prioritized higher than others due to these additional factors.
A brief description of key questions addressed by risk management:
Beginning Organizational Risk Management
Many organization’s risk management activities end with an annual risk assessment. However, that is just the beginning of risk management. The risk assessment provides information on the key or top risks facing the organization as well as a baseline of risks to consider when evaluating its internal control environment. However, a risk assessment is a pointless exercise unless management takes action on this information.
How Can You Address Risk?
While you may have responsibility for facilitating the process, organizational risk management must be shared by leadership throughout the organization. You, your team, and those senior leaders participating in the process make up your primary organizational risk management structure. Members of this group should be assigned ownership for the top priority organizational risks. Risk owners not only hold a leadership position, but also have experience and responsibilities related to the risk(s) that they own. Risk owners should be enabled to recruit assistance to research the risk and potential actions the organization can take to address the risks. The following are five types of actions one can take to address a risk:
- Accept – by accepting a risk, an organization decides to take no action and to deal with the consequences if/when it occurs.
- Avoid – choosing to avoid a risk is when an entity forgoes certain activities that would potentially cause the risk.
- Mitigate Risk – an organization mitigates a risk by adding controls activities that reduce or eliminate the risk.
- Transfer – a company transfers risk by insuring for the potential impact of a risk or by outsourcing the activities related to the risk to another organization.
- Exploit – an organization exploits a risk when the impact is positive by performing activities that increase the likelihood of its occurrence.
Risk owners should present the additional information learned regarding their respective risks as well as their proposed actions to the organization’s risk management structure and, if separate, the executive team for their review and approval to take action.
When Should You Reassess Risk?
As the word management suggests, risk management is an ongoing process. The world is constantly changing with new technology, regulatory changes, industry shifts, etc. Additionally, as part of risk management organizations are making internal changes. Consequently, risk management is an iterative process. An annual risk assessment may be adequate for an organization to meet its minimal compliance obligations. However, organizations should regularly revisit its risk assessment and the related action plans to reassess if the risk has changed and to determine the impact of its actions to reduce the organization’s overall risk profile.
How Can You Assess Risk at Service Providers?
We live in a day when nearly every organization outsources something. Outsourcing transfers some of the risk to the service provider. However, if your company is a service provider, you still are responsible for monitoring your service providers and ensuring the quality of the end delivery of your services to your clients.
So, how can you get comfortable with your service providers control environment and quality of service? You can request and review a SOC report from your service provider. It can help you identify risks that are not addressed by a service provider and the need to implement controls to mitigate those risks within your own environment. Learn more about the different types of service organizations for which you may want to request a SOC report.
Risk management is a continual process not an event. If performed properly, it can be a powerful tool that enables organizations to operate at an optimal risk level that allows them to maximize their value creation. It is important to remember that service providers for critical processes should be considered an extension of your organization.
For more information on organizational risk management and SOC audits, read these related blog posts:
- Cybersecurity Risk Management Program
- Information Security Risk Management
- The IT Risk Assessment and HIPAA Compliance
- SOC 1 Reports – SSAE 18 Replaces SSAE 16
- What is an Assertion?
Isaac Clarke is a partner at Linford & Co., LLP. He began his career with Ernst & Young in 2003 where he developed his audit expertise over a number of years. Isaac specializes in and has conducted numerous SOC 1 and SOC 2 examinations for a variety of companies—from startups to Fortune 100 companies. Isaac enjoys helping his clients understand and simplify their compliance activities. He is attentive to his clients’ needs and works meticulously to ensure that each examination and report meets professional standards.