The risk identification and assessment process is a critical part of effectively managing risks or events as part of an organization’s operational risk. Risks are identified, and then classified by risk category (financial, operational, strategic, compliance) and/or sub-category (i.e.market, credit, human resources, etc.) for functional areas and projects. Each risk is then assessed based on its impact, and prioritized in order to direct management focus toward the most important (Deloitte & Touche LLP, 2012).
The process consists of 4 simple steps conducted by a Risk Committee:
- Identify potential risks that could impact the organization.
- Classify each risk into categories and sub-categories (where necessary or as determined by your Risk Register).
- Rate each risk based on impact and likelihood, and provide rationale and understanding of root causes related to each risk (additional criteria can be rated- some processes include ‘speed of onset’ and ‘vulnerability’).
- Discuss results, view alignment, and finalize risk prioritization to ensure the right risks are managed going forward.
“Executives today face many challenges to their businesses, from uncertain economic growth to the speed of technological change. Add the clear and present risks of cyberattacks, changing customer behaviors, and you have a landscape in which the first-line owners of risk must also take the lead in managing that risk.” (PwC, 2017)
“Properly implemented, Risk Management can provide strategic and operational opportunities by focusing activities on what is important to an organization. Risk management creates value by providing opportunities for process improvement; controlling the risks that can hurt the organization most, breaking down silos, and helping the organization achieve its objectives” (Wallis, 2014).
1) NOODLE: What are the key risks that could impact our organization?
2) TAG: Categorize each risk by category (and/or sub-category), using the following tags (can be customized):
3) COMBINE to eliminate duplicates and move forward with only unique risks
4) MULTI-CRITERIA RATE each risk based on Impact and Likelihood. In the comments section, provide rationale for why each risk was rated the way it was.
5) SHARE AND DISCUSS RESULTS: View alignment and decide on the priority of risks. Identify high priority risks for management attention.
- Prioritized list of risks to receive management attention
- Critical thinking skills developed that enable a risk culture
- Valuable insight into why risks were rated the way they were
- Shared understanding and alignment on risks to the organization.
- List of potential risks that can be revisited during each risk identification and assessment cycle
BENEFITS & IMPACT
This exercise will enable:
Quality- Gain critical insight into your organization and proactively manage the risks that impact achievement of strategic goals – no surprises. Increased perspectives will reduce risk.
Efficiency- Engage busy stakeholders when it’s convenient for them to contribute – 24/7, reducing meetings and bringing the right people to the table.
Engagement- Conversation analytics allow individual stakeholders to know how they rated risks versus how others did, igniting rich discussion and deeper alignment. Provide a safe space for stakeholders to evaluate and provide candid thoughts and rationale.
Agility- Develop a shared understanding about the organizations or departments key risks. Evaluate and focus management attention and resources on the most important risks.
Deloitte & Touche LLP. (2012). Risk Assessment in Practice. Deloitte. https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Governance-Risk-Compliance/dttl-grc-riskassessmentinpractice.pdf
PwC Risk in Review. (2017). Managing Risk from the front line. PwC. https://www.pwc.com/us/en/risk-assurance/risk-in-review-study/survey-findings-risk-management-trends.html
Wallis, P. (2012). Risk Management, Achieving the Value Proposition. Government Finance Review. http://www.gfoa.org/risk-management-achieving-value-proposition