Enterprise Risk Assessment – Transforming Risk Information into Action

Picture this – you’re planning a road trip and map out your route. You identify places you want to visit, eat, and stay along the way.

When it comes time to actually hit the road though, you put on a blindfold and start driving in the direction you think you should be going.

Now I doubt anyone reading this would ever attempt something this foolhardy – however, flying blind is something too many organizations do when it comes to risk activities.

An enterprise risk management program that truly serves the organization is about much more than creating a list of risks.

While the identification stage of the ERM process is crucial for understanding risks and opportunities, the assessment process is how this list is transformed into a tool for protecting and building value.

Although I say enterprise risk assessment, terms like risk analysis or risk evaluation are also commonly used. Some organizations in fact combine this process with risk identification to create a seamless transition between the two phases of the ERM process.

Before diving into why risk assessment is so important, I want to provide my way of defining this invaluable step…

I believe this is the most straightforward way to define enterprise risk assessment. Frameworks like ISO 31000, COSO, and others define it as well, but their explanation can be confusing and not workable for many organizations in my experience. Norman Marks appears to agree according to his book World-Class Risk Management.

Why is enterprise risk assessment important?

Now that we understand what risk assessment is and that it occurs after the identification phase in the ERM process, I want to take some time to discuss why it’s important.

In short, enterprise risk assessment helps management understand which risks are important and how they connect with the strategic plan, organizational mission, or specific operation.

Without a solid process for analyzing risk information, your organization can suffer many consequences, some of which can be devastating.

Let’s take our scenario from the beginning as an example. If you were to actually blindfold yourself and start driving, the best case scenario is that you end up going in a different direction than needed. Worst case is that you are in a fatal accident.

Not taking the time to carefully analyze and prioritize your organization’s risks is much the same…

At best, you will end up wasting scarce resources on risks that are not that significant in the long run. This, of course, leaves the more significant risks and weaknesses unaddressed, exacerbates existing problems, and even creates new ones, which could lead to even more severe consequences.

In short, you end up increasing your risks explains IT-security consultant Chris Cronin, who also says that a poorly managed or non-existent risk assessment process can have legal ramifications. For instance, if a jury finds out that an organization knew about a risk but did nothing to address it, the financial and reputational fallout could be devastating.

How is information for a risk assessment gathered?

Like risk identification, there are several methods organizations use to gather information for an assessment. And like risk identification, the method will depend on a variety of factors such as the audience (C-suite vs. middle management vs. front-line staff), company culture, and the level of detail the assessment will cover.

Broadly speaking, the top-executives and their direct reports are the primary people involved in a risk assessment. Some organizations may involve lower management levels in their assessments depending on the particular risk(s), subject matter, and the maturity of the process.

Also, some organizations will just collect assessment information in the identification phase.

Common methods for gathering information on the importance and impact of risks include a combination of the following:

  • Surveys – Especially useful for gathering information from a larger group, especially at the lower levels of the organization. Typically combined with interviews or workshops to refine the results.
  • Interviews – One-on-one interviews are usually reserved for top executives to discuss the bigger picture risks to strategy, etc. Interviews are also the preferred way to discuss sensitive topics.
  • Workshops/Meetings – These meetings typically occur with small-to-medium groups from the board, senior executives, and even the director level. It’s this type of meeting where priorities for which risks to focus on start coming into view.

Gathering information for a risk assessment can seem tedious and even intimidating to many involved, which is why detailed and transparent dialogues are so important. Using a survey alone will not provide the information needed for an adequate risk assessment, which of course opens up new risks.

According to management consultant Carolyn Goga in an article in Risk Management Magazine, uncovering the real issues affecting the organization will come from discussion and debate.  As she explains, “the information gained will inform the company of its true state, uncover opportunities and help drive it in the right direction.”

What is enterprise risk assessment measuring?

In my definition of enterprise risk assessment, I explain that the ultimate goal of evaluating a risk is to understand the influence it will have on the organization. Influence is just an umbrella term to describe the various dimensions that a risk assessment measures.

A traditional risk management assessment will only consider the overall impact a particular risk will have, and in some cases, probability of occurrence.

However, one big difference between traditional and enterprise risk management is the multiple dimensions that are considered when evaluating risks. These can include:

  • Velocity (how soon will the risk affect the organization)
  • Preparedness (how prepared is the organization to respond to the risk)
  • Reputational impact
  • Persistence (how long will the effects last)
  • Interdependency of risks

Almost every organization doing risk assessments will examine the probability of occurrence and impact. Second to that, velocity and preparedness for particular risks are commonly considered.

The dimensions are very organization and situation specific. If risks are not very complex, impact and probability of occurrence should suffice. However, an organization that needs or wants to understand a particular risk more in-depth may consider additional dimensions during their assessment.

It’s important to note that assessing risks at too high of a level will make it difficult to identify issues and solutions, while getting too specific can lead to big issues being drowned out by small details.

It’s also critical to mention that enterprise risk assessments are not just looking at negative impacts, but positive ones as well. By not considering the impact, probability, velocity, and preparedness, a firm can miss out on opportunities arising from a particular event.

For an example, check out one of my first posts discussing risk management decisions in the aftermath of a hurricane. Retailers who considered opportunities following an event like this realized tremendous benefits to not just their bottom line, but their reputations as well.

Risk scoring/ranking/analysis – transforming assessment information into something actionable

Up until now, the enterprise risk assessment process has been more research. But at some point, you have to translate all of this information into something usable for decision-making.

At the end of the day, that is the heart of what enterprise risk management does.

I could write a book on this topic, but I’m going to save that for another time…

After agonizing over where to start, I think the best way to begin talking about this complex subject is to break it down between qualitative and quantitative.

Qualitative risk analysis

This analysis will use descriptive elements to rank a particular risk. For some risks like reputation, legal, or talent, it can be the only option since it’s really difficult to assign a dollar or some other numerical value to these.

Also, for the sake of simplicity when establishing your enterprise risk assessment process, qualitative analysis is a better option to choose unless your organization already has robust modeling and data analysis capabilities. If you jump head first into quantitative risk analysis, you risk (…no pun intended) overwhelming individuals who are key to making ERM a success for the long haul.

Qualitative risk analysis is commonly used in surveys. It asks the individual to assign a risk a score based on a numbered scale. The scale is usually 1-5, sometimes 1-3, or some other scale such as high, medium, or low. Risk management staff should provide details on probability ranges and other criteria. Below is an example of what the scale and criteria could look like.

Two cautions:

  1. This process can be very subjective since one person will view a risk with more urgency than someone else.
  2. People with skin in the game, those who want resources to address a particular risk, may be inclined to score that risk higher than it really deserves.

ERM takes information from these surveys to develop risk scores. Multiplying impact by likelihood is by far the most basic, and common. (I do not recommend it for various reasons, but I will save that for the book mentioned earlier!). However, there are a wide variety of practices organizations can consider. Below are a few examples according to a survey from NC State…

Images courtesy of NC State University

 

Another scoring option organizations use is to plot risks on a risk map or heat map, which is simply “…a graphical representation of likelihood and impact of one or more risks” according to COSO.

Here’s an example heat map using a 1 to 5 scale:

revamp risk assessment

Truly understanding the importance of a risk requires more than coming up with a number or plotting a point on a chart. Risk professionals can take this information and use it to prompt discussions in an interview or workshop. It is during this collaborative process where participants’ view of a risk can change in light of new information, which can therefore alter its final score and how it’s ultimately handled.

(Visit Are Qualitative Risk Assessments Fatally Flawed? for more.)

Quantitative risk analysis

Having a hard number for impact values rather than a descriptive term is another way organizations score risks. Examples can include a dollar impact in the form of losses, fines, cash flow, or additional revenue, the number of incidents (safety), and more.

Quantitative analyses are commonly used to rank financial, credit, or market risks, so they are quite prevalent in financial institutions.

Organizations with robust data analysis and capital modeling capabilities can use quantitative analysis for examining a variety of risks, which is much more sophisticated than a qualitative analysis. Quantitative analyses are also commonly based on historical data, which is one reason why it can be impractical for those early in their ERM journey.

Similar to results from a qualitative risk analysis, information from quantitative analysis can help guide further discussions. Unlike qualitative analysis, a quantitative analysis tends to be more objective in nature.

(Check out Why Do Most Organizations Avoid Quantitative Risk Assessment?, Quantitative Risk Analysis: What Companies Must Have First and Is Quantitative the Only Future of Risk Management? for more)

Forced ranking

Another risk analysis method that merits our attention is forced ranking. It was developed by Bonnie Hancock, Executive Director of the ERM Initiative at NC State, after observing assessment processes in action across a variety of industries.

One issue she would encounter is how risk scores would consistently “bunch” together in the middle of the scale. As I explained before with qualitative analysis, participants rank risks on a scale based on their knowledge and opinion of it. One person may give a risk a low score of 1 while someone else may assign it a 5. The final result would often just be an average and not useful for decision making.

Therefore, to understand which risks are more important and to simplify the ranking process, the forced ranking method was developed. Participants are simply asked to rank a list of risks, usually 10, regardless of dimensions. The most significant risk is given a score of 10, the 2nd most a score of 9, and so on.

When all of the results are in, the scores for each risk are added up to arrive at a final score, which is of course used to guide further discussions.

As you can imagine, I have my own impressions of the various scoring methodologies that I can elaborate on, but since this article is focusing on a high-level overview of enterprise risk assessment, I want to save that commentary for a future post. For some thoughts on the limitations of heat maps, I suggest checking out this article from my colleague Ashley Jones.

What happens from here?

Once risk information is gathered, scored, and the results are debated, the process still isn’t finished. Organizations too often go through these steps just to cast the information aside when actual decisions are being made.

However, with this information in hand, decision makers at your organization should have a pretty good idea of which risks to focus on and for choosing the right risk response.

In order to choose the right treatment, the risk will need to be compared to the organization’s risk tolerance and appetite, which I discuss here.

(To learn more about risk appetite, check out 7 Questions for Understanding the Fundamentals of Risk Appetite.)

A couple of important points before wrapping up…

As I explain in my definition of enterprise risk assessment, the process is continually evolving and executed on a regular basis. Circumstances and priorities will change how management should respond to risks, so it is important risk assessments be done at least annually and perhaps even semi-annually for more urgent, fluid, or high-impact risks. RTI International for instance only does a full risk assessment every 3 years, but examines emerging risks quarterly.

My personal preference includes timing the assessments to when controls or mitigation activities are put into place, since the effectiveness of those activities should change the assessment. And for those risks above the risk tolerance, look at velocity as a way to prioritize the risks, as those with a shorter window to respond mean the organization needs to get its act together.

Also, as you go along, you will learn what methods for gathering information and scoring risks work for your organization. While the initial setup of the process is an important part of developing an ERM framework, the flexibility to change based on actual experience is equally as important.

Do you have an enterprise risk assessment process setup for your organization? What were your challenges? Do you combine risk identification and assessment in your ERM process?

If you do NOT have a process yet, what do you foresee as the biggest obstacle to transforming risk information into something actionable?

Please don’t hesitate to leave a comment below or join the conversation on LinkedIn to share your perspective. I’m always interested in learning from others’ experience and the valuable insights these conversations can yield for us all.

And if you’re trying to develop your enterprise risk assessment process or need to refine it to provide leadership with better risk information for decision-making, complete my consulting and coaching waitlist form below and I will contact you when space becomes available.

For further reading:

  1. Survey of Risk Assessment Practices; Bonnie V. Hancock, Executive Director of the ERM Initiative at North Carolina State University.
  2. Enterprise Risk Management: Frameworks, Elements, and Integrations; Drs. William G. Shenkir and Paul L. Walker on behalf of the Institute of Management Accountants.

 

Posted in

Sign Up For Our Newsletter

Sign Up For Our Newsletter

SDS-Logo
about-sidebar-v2

Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More