3.- EXAMPLES OF RISKS
Any risk assessment exercise should begin with the establishment of a scope and plan, considering objectives, responsibilities, timing and input and output requirements. Responsibilities in the risk assessment process are assigned to those parties that can provide meaningful perspective on relevant risks. Sources of input are determined based on available information (e.g., prior assessments, loss data, KPIs, lessons learned, etc.). Output requirements are established based on the specific requirements of senior management, steering committees, other stakeholders, stockholders or business partners.
A risk management program must consider activities at all levels of the organization. The objectives and events under consideration determine the scope of the risk assessment to be undertaken.
Examples of frequently performed risk assessments include:
Any risk assessment exercise should begin with the establishment of a scope and plan, considering objectives, responsibilities, timing and input and output requirements. Responsibilities in the risk assessment process are assigned to those parties that can provide meaningful perspective on relevant risks. Sources of input are determined based on available information (e.g., prior assessments, loss data, KPIs, lessons learned, etc.). Output requirements are established based on the specific requirements of senior management, steering committees, other stakeholders, stockholders or business partners.
A risk management program must consider activities at all levels of the organization. The objectives and events under consideration determine the scope of the risk assessment to be undertaken.
Examples of frequently performed risk assessments include:
- Strategic risk assessment. Evaluation of risks relating to the organization’s mission and strategic objectives, typically performed by senior management teams in strategic planning meetings.
- Operational risk assessment. Evaluation of the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.
- Financial risk assessment. Evaluation of risks related to a material misstatement of the organization’s financial statements through input from various parties such as the controller, internal audit, and operations.
- Compliance risk assessment. Evaluation of risk factors relative to the organization’s compliance obligations, considering laws and regulations, policies and procedures, ethics and business conduct standards, and contracts to which the organization has committed.
- Supply chain risk assessment. Evaluation of the risks associated with the selection and management of suppliers which could impact the achievement of the organization’s business objectives.
- Customer risk assessment. Evaluation of the risk profile of customers that could potentially impact the organization’s reputation and financial position. The force from customers to reduce the prices for products and services. The departure of one of your top customers. The likelihood that your customers will find another source for your product or a different product that delivers the same results as yours.
- Project risk assessment. Evaluation of the risk factors associated with the delivery or implementation of a project, considering stakeholders, dependencies, timelines, cost, and other key considerations.
- Market risk assessment. Evaluation of market movements that could affect the organization’s performance or risk exposure. The threats from your competitors and how they can affect your business. The threat from the development of new products.
- Product risk assessment. Evaluation of the risk factors associated with an organization’s product, from design and development through manufacturing, distribution, use, and disposal.
- Security risk assessment. Evaluation of potential breaches in an organization’s physical assets and information protection and security. This considers infrastructure, applications, operations, and people.
- Information technology risk assessment. Evaluation of potential for technology system failures. This assessment would consider such factors as processing capacity, access control, data protection, and cyber crime.
“A continual process of risk identification and risk management is key to a company's success”.
Understanding both the nature of the organization’s objectives and the types of possible risks under consideration is key to determining the scope of the risk assessment. Once the scope is defined, those possible risks deemed likely to occur are rated in terms of impact (or severity) and likelihood (or probability). The results can be compiled to provide a “heat map” (or risk profile) that can be viewed in relation to an entity’s willingness to take on such risks. This enables the entity to develop response strategies and allocate its resources appropriately. Risk management discipline then ensures that risk assessments become an ongoing process, in which objectives, risks, risk response measures and controls are regularly re - evaluated. Risk assessment discipline evolves and matures over time. Organizations typically start with a broad, qualitative assessment and gradually refine their data and analysis as they collect and analyze sufficient relevant data points to support risk informed decision making and allocation of resources.