| |
By Scott McConnell
Internal Audit Manager
Kentucky Employers’ Mutual Insurance
 What
does “risk analysis” mean to you?
The answer probably depends on what position you occupy in your organization.
If you are like most people, risk analysis is understood as a concept,
but the process of identifying, measuring and prioritizing it is not easily
understood. Believe me, if this were not the case, there wouldn’t
be so many conferences, seminars and literature dedicated to the subject.
Risk is present in every aspect of business operations and affects all
business resources, tangible and intangible. The challenges we face as
individuals and organizations are to recognize it, understand it,
and control it effectively on a cost-benefit basis.
Several definitions of risk are available.
• It can be defined in a business context as the threat that
an event or action will adversely affect an organization’s ability
to achieve its business objectives and execute its strategies successfully.
• Business risk can also be defined as a concept used by auditors
and managers to express concern about the probable material effects of
an uncertain environment on business goals.
• Alternatively, business risk is often referred to as operational
risk and can be defined as all costs resulting from inappropriate managerial
decisions, incomplete control of resources and processes, and insufficient
monitoring of environmental risk drivers such as changes in legislation.
Regardless of the definition, risk represents the possibility of a negative
consequence.
Risk is often categorized as being internal or external.
Internal risks are those that arise from within the four walls of your
organization. This risk is embedded within the policies and procedures
unique to your organization. Management can to a significant degree control
and mitigate these risks if identified.
External risks arise from the environment within which your business operates.
External risks may not be controllable, but they often can be mitigated
if management is vigilant and identifies them early.
Too often risk analysis is performed in reaction to an internal or external
event that has already adversely affected the organization. The true benefit
of risk analysis is realized when it is a proactive exercise in establishing
preventive controls that facilitate the achievement of organizational
objectives.
Understand the objectives
How is risk analysis conducted? Who is responsible for the analysis? How
are identified risks assessed and prioritized?
Risk analysis begins with understanding and identifying organizational
objectives. Because objectives abound from each level of the organization,
this effort can be staged to match the detail of risk analysis desired.
Initial efforts can focus on strategic organizational objectives associated
with senior management. Secondary efforts can focus on departmental objectives
associated with middle management. Ideally, several complementary risk
analysis efforts could be performed, each focusing on more narrowly defined
segments of the organization.
Sources of information could include annual budgets, strategic plans and
departmental procedures. However, the most important source of information
is the management team. For this effort to be successful, you must have
their participation.
Once organizational objectives are identified, the task of identifying
business risk can begin. As previously indicated when defining risk, this
is really just a process of determining what actions or events will adversely
affect an organization’s ability to achieve its business objectives.
The process can be as easy as asking a series of simple questions such
as:
• What is the risk?
• What could go wrong?
• What are the risk management activities that mitigate risk?
• What is the best evidence that these mitigation techniques
are working as intended?
• What test produces that evidence?
Surveys are a great tool to solicit this information because of the ability
to tailor questions to the risks being identified. The right people need
to participate. Again, communication and cooperation from all levels of
the organization must occur.
Significance? Likelihood?
After risks are identified, they must be measured to determine significance
and likelihood. Because of the intangible nature of risk, this is probably
the most difficult step in the risk analysis process.
A methodology needs to be developed that ultimately quantifies risks identified.
Because most people have an intuitive understanding of risk based upon
common sense and experience, any methodology developed often will have
some degree of subjectivity embedded within it.
Risk measurement is most easily accomplished by creating indices where
risk can be rated from low to high based upon selected valuation criteria.
Weighting factors can then be assigned to the scale corresponding to the
risk rating. Whatever method is chosen, it must be applied consistently
throughout the process.
After ratings have been established for both risk significance and likelihood,
prioritization of all the risks relative to each other can occur. This
is simply a matter of sorting the risks based on the ratings assigned.
Frequently this information is documented graphically to allow easy visualization
of how each risk should be prioritized.
The final step in prioritization is to consider the element of time. The
certainty or uncertainty of knowing when risk will be incurred determines
to a great extent what efforts will be made to control it.
Watching for ‘triggers’
How often should your organization’s risk analysis be conducted?
Ideally it should be maintained on a continuous basis due to the dynamic
nature of the business environment. However, reality dictates that risk
analysis will probably be performed on an annual basis. This creates opportunities
for risk to develop unnoticed.
To prevent this, management needs to recognize both internal and external
risk triggers. Potential risk triggers might include:
• New laws and regulations.
• Actions of competitors.
• Economic changes.
• Changes in customer demographics.
• New organizational objectives.
• New strategies, initiatives and activities.
• New business processes.
• New products.
• Significant personnel changes.
Managing the future
Risk analysis helps us deal with the consequences of our inability to
predict the future with certainty. It is important because gaps between
the occurrence of risk and the ability to manage risk will always be present.
Understanding business risk requires a thorough understanding of business
processes, understanding the effects of risk, and a framework or risk
model that provides a common language for discussing risk.
Who is responsible for managing risk in your organization? If you think
about it, every employee in the organization is a risk manager. They are
the experts for their areas of responsibility. Developing a risk analysis
program may be the assigned responsibility of one individual, but in reality
it must be an organizational effort.
Author Scott McConnell can be reached at smcconnell@kemi.com
or
(859) 425-7800.
Download complete newsletter
in PDF
format
|
