In the 5 Common Mistakes in Risk Identification, Analysis, and Evaluation blog post, we identified misunderstandings and missteps that many fall victim to when managing business risks. A 360° view of your business ecosystem helps you determine risk exposure and ensure regulatory compliance before your business is impacted. Of course, the original five mistakes aren’t the only things for risk professionals to be concerned with. Here are 5 additional mistakes to watch out for!
Gross risk, or sometimes referred to as inherent risk, is the level of risk prior to implementing controls and other mitigating factors. Net risk, or residual risk, is the level of risk after all measures and controls are put in place. Knowing how to classify these two types of risks is not always obvious, particularly when the controls are not clearly defined or available to the assessor. In the case where the controls are not clearly defined, risk assessors may not understand that their net risk is actually lower than they perceive. This can get costly and problematic because you end up focusing resources/bandwidth on risks that are already under control, and not focusing on risks that legitimately need more attention.
Going back to our example in the original 5 Common Mistakes blog post with the flat tire, assessors often put preventive measures in place (regular tire maintenance), maintain awareness of risk status (air pressure indicators on the car dashboard), and have reactionary/response measures in place in case of an incident (tire-repair kit in trunk). The number of risks & controls, and tracking the changes to controls, becomes too complicated to manage when using a simple spreadsheet (or similar tool).
A dedicated risk management platform provides the visibility necessary to effectively manage gross and net risk and avoid mistake #6.
In the case of the flat tire, if you were to invest in a set of high-performing “run-flat” or “zero-pressure” tires like the ones that come standard on sports cars, Cadillacs, and BMWs, it would cost you significantly more than standard tires. However, simply adhering to better driving habits, conducting regular safety checks, and planning out your trips to avoid bad road conditions may deliver almost equal risk protection, and can prove to be far less costly.
All too often, in an effort to protect the business, risk managers put in additional controls to ensure that they have everything covered without taking into consideration controls that are already in place and can be optimized. The business may already have enough controls around a particular risk and the additional investment may not be necessary. It’s important to make sure that visibility is not obstructed and all options are gauged.
Mistake #7 can be avoided with a 360ᵒ view of information, managed in a shared repository that centralizes and connects all data related to risk management (e.g. risk, objectives, processes, departments, end-users, etc.).
There are more ways to approach risk management than merely diminishing or completely doing away with a risk. You can also transfer it, share it, accept it as is, or increase it. With any one of these strategies, in order to apply effectively, you need to attain crucial information, including cost of implementation, the anticipated impact(s), set-up time, etc.
An effective risk governance system takes various options into account, but is particularly helpful when considering the possibility to increase the identified risk. Risk is a daily part of business and can affect all areas and at any level, and understanding the context of a risk is necessary for managing business expectations and achieving business goals. As such, a manager or a group of experts should be able to identify situations where accepting or increasing certain risks would be beneficial to the business.
When it comes to risk management, businesses focus on identifying and addressing their critical risks, then often find themselves stumbling into the pitfall of “over-controlling.” This can become a problem for any company where there are outdated risk controls in place. You don’t want to be in a position where so much time goes by between assessing risks and their controls, that you lose sight of why the control is there and whether it’s still necessary. If you’re trying to reassess the effectiveness of risk control plans from previous years, you may end up addressing risks that are no longer needed or are a low priority.
Reviewing risk controls and their relevance to the task of risk identification and treatment, and updating all of the information from various Excel spreadsheets to locate instances of over-controlling can be a daunting job.
To be more efficient and effective, boost your efforts with a tool that provides a dynamic view of the various controls connected to the identified risks, updated in real time. This allows your organization to have their finger on the pulse of where the business is now, what risks it may encounter, and how to manage those without unnecessarily impeding operations.
Since we’ve identified that one of the preventative measures to diminish the risk of a flat tire is checking tire pressure, it would be foolish to ignore this part of the plan, right?
Similarly, why put forth the time and effort to identify and analyze risks, then document and develop preventative measures, if you are not going to evaluate their impacts? While monitoring the risk is the most important part of the process because it produces the most tangible effects in the field; unfortunately, it is often overlooked.
Using a tracking tool that can be integrated with other types of action plans such as quality, performance, compliance, etc. that has alerts set up for monitoring purposes, will likely help to prevent Mistake #10.
We’ve reviewed the most common mistakes to avoid in the risk identification, analysis, and assessment process. Do you find yourself in one or more of these scenarios? How have you managed to swerve around them? With MEGA, you can determine your risk exposure and ensure regulatory compliance with a 360ᵒ view of all risk management processes. To learn more, read about HOPEX Operational Risk Management.