This is the second article of a six part series focusing on the concept of ERM and how companies are addressing the issue of risk assessment in their overall strategy.
Kevin Sullivan CPA, MBA
Senior Manager, ERM Group
732.287.1000 x 1276
Jerry Ravi CPA, CISA
Senior Manager, ERM Group
732.287.1000 x 1294
For companies contemplating the depth of their risk assessment process and procedures, the task can be both daunting and exhausting. A proper risk assessment identifies, assesses, and categorizes all risks throughout the company. Knowing where to begin and how to initiate the assessment are challenges faced by all executives undertaking a risk assessment.
What is the risk assessment?
Risk assessment is the identification and analysis of both quantitative (e.g. earnings risk) and qualitative (reputational risk) risks to the achievement of business objectives forms a basis for determining how risks should be managed. Risk is assessed on an inherent and residual basis, allowing an entity to understand the extent to which potential events might impact objectives from two perspectives: likelihood and impact.
Enterprise Risk Management is not a "One-Size-Fits-All" approach. The above diagram depicts three stages of ERM Programs. At each stage, the Risk Assessment requirements vary. The key is to determine the degree of maturity that is right for your company.
How do you begin?
The first step to a proper risk assessment is identifying all the risks throughout the organization. Every entity faces a variety of risks from external and internal sources that must be identified. An organization can identify risks in several ways, including interviewing the Board of Directors and Executive Representatives from each organizational unit (e.g. Finance, IT, Human Resources, etc.) and asking questions such as “What do you perceive to be the largest risks to the company, in terms of significance and likelihood” and “What do you perceive to be the biggest risks within your area of control.” Before the interview process can commence there are certain activities that executives can do to aid in the risk assessment process:
- Identify preliminary risk language (What do we mean here? Defining tolerance/appetite? High/medium/low risk definitions?)
- Develop risk inventory questionnaires
- Develop materials and hold education / risk awareness session(s) with all areas of the organization
After establishing a common understanding and awareness of risks, interviews of key personnel can begin. Each interviewee should be asked to identify the top risks relevant to his/her department. The results of the interviews should be compiled and all risks should be viewed and discussed in an aggregated level among all key management personnel. Finally, risk assessments should be linked to strategic objectives as illustrated in the diagram.
What Next?
Now that the company has an understanding of the top risks that impact the organization, senior management has to determine the company’s risk appetite and risk tolerance. Risk appetite is the amount of risk, on a broad level, that an entity is willing to accept in pursuit of value. Risk tolerance, on the other hand, is the range of acceptable variation around the company’s objectives.
The organization can start determining the risk appetite by asking questions such as: "What risks will not be accepted; will environmental or quality compromises be accepted or will the organization accept risks for competing objectives (e.g. gross profit vs. market share)?"
Companies may want to seek out ERM professionals who have expertise in developing and enhancing risk assessment and monitoring activities. EisnerAmper’s Risk Advisory practice has dedicated ERM personnel with expertise in continuous controls and risk monitoring that can be used to ensure your understanding of the risk drivers remains current with your strategy and objectives.