Ten Practices for Improving the Risk Assessment Process
Effective risk assessment is fundamental to the management and oversight of risk. While the risk assessment process must be tailored to the individual needs of each organization, the hallmark of a successful risk assessment is one that helps directors and executive management identify emerging risks and face the future confidently. Rather than shuffle "known knowns" around on a risk map, a risk assessment should help decision makers understand what they don't know.
To that end, 10 practices are summarized below that will help management and directors maximize the value derived from the risk assessment process.
1. Involve the appropriate people. Surveys we have conducted over the years indicate, without exception, that viewpoints and perspectives about risk often differ across a broad range of senior executives, operating units, and functional leaders. Therefore, it is important to involve appropriate stakeholders across the C-suite and vertically into the organization in the risk assessment process to ensure relevant points of view are heard.
2. Reduce the danger of groupthink. The risk assessment process should encourage an open, positive dialogue among key executives and stakeholders for identifying and evaluating opportunities and risks. As a safeguard against executives forming opinions or reaching conclusions without robust debate or considering dissenting views, management should ensure that all perspectives are heard from the right sources and considered in the process. Accordingly, anything an executive truly fears should be out in the open and any concerns about opportunities missed should be aired. The board should set the tone for this kind of open process.
3. Focus comprehensively on the distinctive dimensions of strategic risk. According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), there are three dimensions to strategic risk: the implications from the strategy; the possibility of strategy not aligning with an organization's mission, vision and core values; and the risks to executing the strategy. All three dimensions need to be addressed if the company expects to avoid unintended consequences that could lead to lost opportunities or an unacceptable loss of enterprise value.
4. Understand the assumptions underlying the strategy. Boards and executives that are navigating the risk assessment process should consider how the organization's strategy and risk appetite work in tandem, and how it will drive behavior across the organization in setting objectives, allocating resources, and making key decisions. Are risks evaluated in the context of their impact on the organization's strategy and operations? Is adequate consideration given to macroeconomic issues? Is there a business intelligence process for monitoring the environment to ensure that critical assumptions remain valid? Is the board informed when assumptions are no longer valid? Are strategic assumptions stress-tested?
5. Consider the impact of disruptive change. The rapid pace of change in the global business environment is risky for entities of all types. Change alters risk profiles. The unique aspect of disruptive change is that it represents a choice: On which side of the change curve does an organization want to be? With the speed of change and constant advances in technology, rapid and innovative responses to new market opportunities and emerging risks can be a major source of competitive advantage. Conversely, failure to remain abreast or ahead of the change curve can place an organization in a position of becoming captive to events rather than charting its own course. The risk assessment process must be dynamic enough to account for significant change.
6. Consider appropriate criteria to assess "high impact, low likelihood" risks. When considering extreme risk scenarios, the operative question is: How resilient is our organization in the event one or more of these scenarios occurs? Velocity of the impact as the scenario evolves, persistence of the impact over time, and the entity's response readiness are useful risk criteria to consider when answering this question.
7. Understand the sources of risk. One of the most difficult tasks in risk management is translating a risk assessment into actionable steps in the business plan. Risk owners often don't know what to do to address significant risks based on risk assessments displayed on the traditional two-dimensional graph. Accordingly, it may make sense to source the root causes of the most significant risks to better understand them and design more effective risk responses. Therefore, the process should be designed to identify patterns that connect potential interrelated risk events—risks that are not necessarily mutually exclusive.
8. Inform the board of the results in a timely manner. Directors should agree with management's determination of the organization's significant risks and incorporate those risks into the board's risk oversight process. In addition, significant risk issues warranting combined attention by executive management and the board should be escalated to directors' attention in a timely manner. A process for identifying emerging risks should be in place to supplement the ongoing risk assessment process.
9. Integrate risk considerations into decision-making. As important as the risk assessment process is, it may be just as important to consider the impact of major decisions on the organization's risk profile. If risk is understood to be the distribution of possible outcomes over a given time horizon due to changes in key underlying variables, it should be noted that major decisions either create new or different outcomes, some of which may be unintended, or alter previously considered outcomes. Significant decisions, therefore, should involve the board's understanding of the organization's appetite for risk and consider how those decisions impact the entity's risk profile.
10. Never end with just a list. Following completion of a formal or informal risk assessment, management should designate the appropriate risk owners for newly identified risks so that appropriate responses and accountability structures can be designed for their execution. "Enterprise list management" is aimless, loses its novelty over time, and can lead to trouble if risks are identified and nothing is done to address them.
An effective risk assessment process lays the foundation for executives and directors to navigate a changing business environment with confidence. The above practices can assist organizations in defining their most important risks and enable the board to ensure that its risk oversight is appropriately focused.
Jim DeLoach is managing director of Protiviti. DeLoach is the author of several books and a frequent contributor to NACD BoardTalk.