There are numerous ways to identify, analyze, and assess risk. And it can take various forms – depending on context, industry and lines of business. But regardless of the type, there are five common mistakes to avoid. What are they and how do you ensure that you don’t fall for them?
Risk analysis identifies the causes and potential impacts of a risk, qualitatively. For example, you’re driving down the highway, when all of a sudden, you get a flat tire! You try to figure out what could have caused it: tire pressure, driving too fast, poor road conditions, a nail in the tire, etc. Then, you take into account the immediate and long-term consequences: your safety and those around you, financial impacts, long-term damage to your car, legal ramifications, etc. The causes and impacts are part of the risk analysis.
Risk evaluation is when you define the seriousness of the risk in relation to other risks. It is the quantitative part of the risk assessment. Going back to the driving analogy, getting a flat tire is a risk worth paying attention to, but how does that compare with the risk of a head-on collision or the risk of skidding on ice? Understanding the risks associated with your business and how to prioritize them will allow you to allocate resources in the most appropriate manner.
It’s important to recognize the difference between risk analysis and risk evaluation to determine when to apply each practice.
It’s important to ensure the appropriate stakeholders are involved in the risk assessment process. Going back to our driving analogy, we would want to make sure that people who are familiar with the car and the associated circumstances that result from getting a flat tire while driving are contributing to the risk assessment. Without that specific experience, he or she may not be able to foresee potential ramifications or consequences. Would they understand that the car may violently pull to one side if a tire blows out while driving? Would they understand that there would be an immediate and dramatic loss of control of the car? Probably not. Ideally, a person analyzing and evaluating the risks of a flat tire would be a person with prior experience and an understanding of the associated results.
Having a tool that centralizes all of the data, along with the information on the end-users and their roles, can provide the context necessary to help you identify, analyze, and evaluate risk more accurately.
A risk factor can contribute to the likelihood of a risk occurring, but it is not the risk itself. Under-inflated tires, unpredictable weather, or potholes in the road don’t necessarily mean that you’ll end up with a flat tire. However, these risk factors can contribute to the likelihood of getting a flat. Being able to distinguish between “risk factors” and “risk” is helpful in determining causes and consequences of specific business actions. This enables stakeholders to build the correct preventative and reactive measures into strategic plans to avoid, minimize, and mitigate associated risks.
Company-defined objectives to measure the success of a program must be used to identify and assess associated risks. The danger lies in making an assessment based on the evaluator’s risk appetite, instead of basing it on the company’s goals.
To avoid this, the risk evaluators will need to be equipped with the company’s objectives so that they may perform an analysis in line with business goals. Having a solution in place to help communicate this information to the right people at the right time is key. To add further value, an integrated solution will need to include organizational, strategic, operational, and cost information related to identifying, analyzing, and assessing risk.
Don’t compare risk to the effectiveness of the controls you’ve put in place. Instead, you need to understand the way the controls affect and reduce an inherent risk into a residual risk. In the driving example above, the risk is getting a flat tire, while the controls are regular tire checks, taking alternate routes to avoid damaged roads, keeping your AAA membership active, etc.
To accurately assess the situation and put an effective strategy in place, it’s important differentiate between the risks from the controls put in place. Understanding this and prioritizing them will allow you to allocate resources appropriately.
Do you find yourself in one or more of these scenarios? How have you managed to swerve around them? With MEGA, you can determine your risk exposure and ensure regulatory compliance with a 360ᵒ view of all risk management processes. To learn more, read about HOPEX Operational Risk Management.