Want to know your risk?
You need a Risk Assessment!
By Stefan Lia
In this article, Stefan Lia, from the Deloitte Risk Advisory team, delves into the need and importance of carrying out a structured risk assessment for organisations to develop a comprehensive risk management framework.
Organisations face a multitude of risks, from operational to cyber, to data privacy and internal fraud. And this is just to mention a few. The tasks at hand looks fairly simple. Risks need to be properly identified, assessed and their potential impact understood. Any risk that causes concern would also need to be mitigated.
This whole process should all form part of an integrated risk management framework. The risk assessment, in line with various international standards and best practice, is the first steps in implementing a solid risk management framework within an organisation.
Why is a risk assessment required?
At root, a risk assessment assists organisations in identifying, assessing and, ultimately, mitigating, the full suite of risks that your organisation faces. As indicated above, the risk assessments is an integral part of the risk management process. It provides a structured process for organisations to identify how their objectives may be affected. It is used to analyse risk in terms of probability of occurrence and their potential consequences, before the organization decides on further treatment, if required.
A risk assessment provides decision-makers and responsible parties with an improved understanding of risks that could affect the achievement of objectives, as well as of the adequacy and effectiveness of controls already in place. The standard provides a basis for decisions about the most appropriate approach to treat particular risks and select between the most viable mitigation options.
What does it need to cover?
There are various ways in which a risk assessment can be structured. It can be an enterprise-wide assessment thus covering everything from operational risk to cyber risk and internal fraud. It can also be more focused. A risk assessment can be structured to focus on a single area such as IT, outsourcing, anti-money laundering and terrorist financing or data privacy. The last two assessments arise out of regulatory requirements that certain companies must abide by, so organisations may opt to focus on what is required before extending the exercise further.
The risk assessment can also be designed in a manner that focuses on the “key risk areas” of an organisation. Naturally, any such assessment would need to be preceded by an exercise that identifies your organisation’s priority areas. This could be beneficial in that organisations may be dependent on certain functions without having proper knowledge of the level of dependency and potential risks that it faces as a result.
Ultimately, all activities of an organisation involve an element of risk that should be managed. Therefore, it is important that the risk assessment exercise is as comprehensive as possible to ensure the organisation has an understanding of future events or circumstances (intended or unintended) and their effects on the organisation’s objectives.
How do you go about the actual assessment?
At its core, a risk assessment attempts to answer a number of questions on the occurrence and impact of risks. Once this is understood, it focuses on the mitigation measures that can help protect the organisation. The below paragraphs outline all the steps an organisation is required to conduct in order to have an adequate risk assessment.
The first step in any risk assessment is to identify the risks that the organisation faces. There are various way of doing this, including: workshops with employees, one on one interviews and undertaking a deep dive into each and every process through walkthroughs and testing. It is very important to involve key employees early in the process to ensure ownership by all those who will be involved.
Next comes the risk analysis part, which aims at rating the probability (of occurrence) and impact (of any such occurrence) to each and every identified risk. This is undoubtedly the most critical task of the entire risk assessment process. In completing it, one may opt for a more judgemental rating methodology based on the knowledge and experience of the individual risk owners. The alternative is to opt for a model based on quantitative criteria. This would require the expertise of “Data Crunchers” who are able to use business intelligence and data for the scope of analysing risks. Having the expertise of a qualified risk manager is a necessity in both instances as they would be able to guide the exercise depending on the methodology chosen.
The last part of the risk assessment consists of documenting the control framework, which assists you in mitigating the risks. This phase is generally done through an analysis of existing policies and procedures as well as going through the motion of procedures to understand how the risks identified are being mitigated.
The benefits of conducting an organisation-wide risk assessment cannot be underestimated. If carried out properly, it can help companies better appreciate their risks and prepare for the future. In fact, one of its key objective is to help management understand where the organisation stands, as well as the direction in which the Board is steering the organisation.
Given that various areas of risk differ in importance from industry to industry and between companies from the same industry, it is also necessary to understand where the organisation stands against its competition. This will help position the organisation at a competitive advantage and provide it with an edge against its competition.
Risk assessment exercises may appear to be daunting and complex at first glance. The truth is that it could end up being complex and inadequate unless the process is properly structured and managed throughout. Ultimately, the process risk assessment should become an annual exercise that will change and evolve as the organisation goes through its own changes and evolution. The effort will be worth it. It will lead to an organisation that understands the balance between risk and reward. Simply put, organisations create value by taking risks and lose value by failing to manage them.