Improving Your Risk Intelligence: Step 1 - Your Risks
Issue #16
July 23, 2007
In the last issue of risKey, we discussed the five stages of development towards becoming a risk intelligent enterprise, and provided an overview of the enterprise risk management (ERM) process. The process includes three steps: assessing the risks faced by the organization, implementing programs to mitigate those risks, and monitoring the results. This issue will take a closer look at the first step in the process.
An ERM assessment begins with a planning session to identify objectives and consider the scope of risks to be included. Participants should be selected and time requirements should be understood by all involved. Several methods can be used to identify the risks faced by the organization, including: a risk questionnaire, confidential interviews, onsite inspections, and a technical review of documentation.
Risk Identification
A risk questionnaire that includes a series of questions on both internal and external events should be used to identify risks. For the external area, questions might be directed at political and social risk, regulatory risk, industry risk, economic risk, environmental risk, competition risk, and so forth. Questions on the internal perspective might address risk relating to customers, creditors/investors, suppliers, operations, products, production processes, facilities, information systems, and so on.
Confidential interviews are conducted at the management, supervisory and employee levels to uncover pressing safety issues and further identify key risk exposures.
Onsite inspections provide first hand knowledge of operations and a chance to view daily procedures offering an opportunity to further evaluate physical exposures.
The technical review should include insurance policies, loss information, safety and cost containment programs, sales and payroll histories, etc. Checklists can aid in completing this review as well.
Brainstorming
The goal in identifying risks is to produce a comprehensive list of risks and to assess them, narrowing the list down to the top risks facing the organization. The key is to focus on the “vital few” rather than the “trivial many.” To accomplish this, the identified risks are presented to the management team, and evaluated by the various members in a brainstorming session. Each person ranks the risk based upon the perceived importance, and the scores are combined to determine the order of ranking.
Risks vs. RIsk Factors
Once identified, it is important to understand why a particular risk exists. At this point, we are looking at the factors that give rise to the risk. The difference between risk and risk factors is a matter of what we can control.
Risks have potential for negative impact, present a threat to attaining objectives, and cannot be directly managed or controlled. Risk factors, on the other hand, are events or conditions that give risk to risk, they are the causes of risk, and can be controlled.
Before we can go further, we must explore and understand these risk factors, for they will be the actionable items used in developing our risk management strategy.
Risk Mapping
From the brainstorming session, it is determined which risks will be the focus going forward. Through interactive discussion within your management team, the perceived risks are then plotted on a mapping worksheet based on the expected frequency and potential severity. A risk map displays how risks look when put together in one place, and reflects the collective wisdom of the parties involved. It gives you a real picture of the risks that are most critical to your company’s operations and success.
Now that the risks have been identified and understood, the next step is to develop strategies that can be implemented to address those risks. In the next issue we will discuss step two, implementing your program, utilizing a strategic risk management plan.