One of the key attributes of any successful professional is to have a growth mindset. This is true regardless of the type of work someone does and is a core value I try to impart both personally and professionally.
This mindset is especially vital for risk professionals to possess.
When it comes to basics like conducting an enterprise risk assessment, much has changed since the first version of this article was published in early 2018. What worked then won’t necessarily work today for a couple of reasons.
- Today’s world is even more volatile, thus making it even more critical for ERM to deliver actionable insights rather than a list of risks.
- Outdated approaches or methodologies based on listing random risks and avoiding failure will create the impression that ERM is just a documentation exercise and not a valuable tool for strategic decision-making.
These two reasons are why it is so important to go back and revisit foundational processes like enterprise risk assessment. While some points in the original article are still relevant, there are stark differences that should become clear as you continue reading.
Let’s talk enterprise risk assessment and how you as a risk professional should approach it to ultimately deliver the insights that company leaders need to successfully navigate today’s VUCA world.
What enterprise risk assessment is and isn’t.
Let’s first define this invaluable step that occurs after risk identification, then go from there.
Enterprise risk assessment can be defined as:
“the practice of gathering information to understand risk to the organization achieving its objectives and affect how uncertainty is taken into account.”
Before going further, I want to zero in on those two phrases in bold as this is vitally important to understanding exactly what enterprise risk assessment is. If you look at frameworks like ISO 31000, COSO, or different thought leaders, you will find they combine risk assessment with analysis, prioritization, and even identification in some cases.
Sim Segal, creator of the Value-Based ERM framework, explains it like this:
“Most of the current crop of ERM frameworks lack the critical business case aspects that are necessary to connect ERM to an organization’s decision-making process.”
Meaning…you can’t simply identify risks, create a list, and proceed to manage or mitigate away without having more information about each risk. Doing so can result in you focusing on insignificant risks (whether not material to your company or already well managed) at the expense of ones that could possibly put the company’s survival on the line (worst case). Choices have to be made – you have to prioritize, but before you can do that, you have to gather information.
The other bold phrase above has to do with the idea of achieving objectives. I’ve said it before and I’ll say it again and again – ERM’s primary goal needs to be about helping the company achieve its objectives and not simply avoid failure. As former LEGO strategic risk manager Hans Læssøe states in his book Decide to Succeed:
“Business leaders and executives focus on performance, not on risks – and hence, they do not care whether you have 5 or 25 risks, each with some impact. They do, and should, care about performance.”
Therefore, every identified risk must be linked with a strategic or business objective as doing so shifts ERM from a rear-view to forward facing view
Now that we are clear on what enterprise risk assessment is and what it isn’t, let’s ready to move on to the question…
What is enterprise risk assessment trying to understand?
The two-second answer to this question goes something like this – the information gained from an enterprise risk assessment will inform the company of its true state, uncover opportunities, and help management drive the company in the right direction with the proper allocation of resources.
More specifically though, to understand where you need to go, you need first understand where things stand (a/k/a the current state of the risk).
This reveals another shortcoming of risk-centric frameworks. Instead of understanding where a risk currently stands, frameworks like COSO use the term inherent risk, which essentially means the status of a risk absent any controls or other actions. This may make sense to an experienced auditor or risk professional. However, in real world business situations, the concept is just too confusing to ask them for useful inputs as part of an enterprise risk assessment.
Take your company’s IT department as an example…
You can’t expect them to explain or even visualize the state of a cyber security risk without a firewall or other basic security measures – things no one in their right mind would forego.
Therefore, like our point earlier about what risk assessment is and what it isn’t, many frameworks you will encounter may give you tips that are simply detached from how a business truly operates.
Instead of trying to understand the impossible (i.e., inherent risk), the best place to start is to gather information to understand where a risk currently stands.
Keeping in mind that you should have already scoped the risk to apply to a specific (strategic or business) objective, your questions should take the form of understanding different attributes of a risk, namely:
- How bad will this risk impact the linked objective? (Impact)
- What are the chances of this level of impact to the linked goal occurring? (Likelihood)
It’s important to point out two things:
- these questions must be asked in this specific order.
- the question of probability or likelihood must be linked to the specified impact.
If you don’t, you will have two data points that are completely disjointed from each other, thus making it very misleading (and useless) for decision-making.
For example, people may say that there is a high chance (75+%) Risk A will have a major impact resulting in a prolonged closure, major reputational damage, and employees leaving in droves. However, the chances of that major impact aren’t likely; rather the likely scenario is a short closure, minimal local reputational damage, and no employee impact. The major impact is really a rare probability.
Also, if leadership sees a report that says a major impact that is likely to occur, leadership will begin wondering why this risk hasn’t been addressed already…good question.
Although impact and likelihood are the two most common attributes, other parameters to consider should circumstances warrant include:
- Velocity (how soon will the risk affect the linked goal)
- Pervasiveness (how widespread does this risk affect the organization)
- Preparedness (how are we equipped to respond)
- Persistence (how long will the effects last)
You may be ready to jump in and start asking these questions, but there are some pre-work steps that must be done before you’re ready to start on an actual enterprise risk assessment.
This will constitute the hardest part of the entire risk assessment process. However, if done properly, it will make the actual assessment go pretty smoothly, and ensure you obtain all the right inputs from all the right people to deliver the insights needed for the decision being made.
The first step involves something really basic, and that is establishing the context or answering the question “why” – why are we doing this and what are we going to do with the information? This is really beginning with the end in mind. Is this part of the strategic planning process or is it focused more on business risks?
Whatever you do, remember that a risk must tie back to a specific objective.
Some examples of the information a risk assessment needs to gather, regardless of the approach ultimately chosen, consists of:
- [Strategic/Business] Goal/Outcome name
- Risk title
- Risk description
- Categories, if any
- Risk owner
- Target impact/likelihood
- Current impact/likelihood
- Existing controls and/or mitigations
After answering this fundamental question of “why,” the next decision is to determine the approach. Here you have two primary options:
- Option #1 – qualitative, which is an approach driven mostly by experts (business subject matter experts). This is the option most companies choose, especially when they’re first starting out.
- Option #2 – quantitative, which is driven by numbers. While this can provide richer insights, most companies have to work their way up to this.
The remaining prework steps below will be for a qualitative assessment.
To understand which risks are important, they need to be on a level playing field for comparison purposes down the road. One of the critiques of qualitative risk assessment that I share is that generic 1,2,3 or low, medium, high metrics are not only unhelpful, but misleading and rife with potential biases.
Therefore, a huge prework step is to develop criteria or a structured approach behind the impact and likelihood scores people will give you. These established criteria should be used for all future risk assessments, not just the one you are about to initiate.
The following table provides a basic example of specific criteria for Likelihood.
Something similar to this table can be done for Impact rating criteria. More advanced versions break this down further to include category attributes like Operations, Financial, and Talent with criteria for each level.
Note that taking this pre-work step does not eliminate the biases that can occur with a qualitative approach to enterprise risk assessment.
One simple way to begin addressing bias is to involve different people or subject matter experts so you can obtain different perspectives.
However, with multiple perspectives come the possibility of multiple scores, which is where calibration comes in. To learn more, visit the article linked below on trusting the experts. You can read ahead of time and be prepared, but it is possible you won’t spot this bias until you’re in the middle of a workshop.
With the criteria set, the next step in pre-work is determining how you will gather the actual information.
Similar to risk identification, you’ll need to know who the participants will be for the risk assessment and how exactly you will solicit information from them.
Will you hold a workshop with multiple participants or will you do one-on-one interviews? Note that interviews are typically reserved for executives or sensitive topics.
Surveys are another option, but they are rather limited in my opinion because they don’t allow you to understand the person’s rationale, plus more inputs don’t necessarily equal better results.
Refer to the third article linked below for guidance on selecting the best technique to use.
Below are additional resources on steps to addressing bias, calibrating responses, how to ask risk assessment questions, and other steps for preparing for a risk assessment.
- Using Surveys to Gather Risk Information
- One Simple Method to Validate Risk Assessment Results
- Can We Trust the Experts During Risk Assessments?
- 7 Considerations for Choosing the Right Risk Assessment Technique
- 11 Tips to Effectively Conducting a Virtual Risk Assessment Workshop
- Asking Unbiased Risk Assessment Questions
- 29 Biases and Traps that Prevent Good Decision Making
I can’t stress enough the importance of being meticulous with this “pre-work” phase – the worst thing that can happen is to later realize you need additional information or forgot to ask something. Having to go back and ask participants questions again is not good for the program’s reputation or yours.
Remember too that what works for one company will not necessarily work for yours, which is why this entire process has to be tailored to your company’s specific needs, circumstances, culture, and more.
The other main approach to enterprise risk assessment, quantitative, can provide richer insights, which is why it is much preferred by different ERM thought leaders. While it does require a more advanced level of mathematical skills than the qualitative approach outlined above, Graeme Keith, Vice President of Quantitative Risk and Archer IRM explains:
“The starting point is exactly the conversation you’re having now. We’re just giving a slightly different way of capturing that information – it’s a little bit more information because you get the full range of impacts and not just one particular scenario.”
A benefit of quantitative that its proponents cite is that it doesn’t have the same bias issues that are more prevalent with qualitative methods…but it is, by no means, fool proof. As a statistics professor once told me, you can tell any story you want with numbers, it all depends on the story you want to tell. Believe it or not, there’s actually a book called How to Lie with Statistics! Graeme concurs, but also says:
“I think it [quantitative] kind of keeps people honest, and at the same time, it changes the nature of the discussion because it becomes less about ‘how bad is this risk actually’. I think there’s a lot of kind of healthy things just in the way the conversation is presented.”
Quantitative isn’t my specialty, plus most companies I encounter simply don’t have the tools, expertise, or ready data to make it work, at least in the beginning of their ERM journey. However, I speak with experts in this exciting field, so I recommend checking out the following interviews with Graeme Keith and Hans Læssøe.
The other articles below will help you understand what your company needs in place before attempting a quantitative approach to risk assessment. As they should hopefully make clear, without certain things in place, your efforts will not be successful.
- Yet Another Take and Surprising Twist on the Quantitative vs. Qualitative Debate (Interview with Graeme Keith)
- Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation (Interview with Hans Læssøe)
- Quantitative Risk Analysis: What Companies Must Have First
- Why Do Most Organizations Avoid Quantitative Risk Assessment?
- Is Quantitative the Only Future of Risk Management?
- Qualitative vs. Quantitative Risk Assessment – Can There Be a Middle Road?
- Another Baby Step in the Qualitative to Quantitative Risk Assessment Journey
Thankfully, there’s a middle of the road approach that allows you to derive some of the benefits of quantitative risk assessment without needing all the tools and expertise for the full version. The following approach is also a good option for those who are not too experienced or even comfortable with math.
What it involves is basically using the same criteria you would use for a qualitative assessment above but breaking it down to create ranges for a low, high and expected impact and likelihood. After all, trying to pinpoint an exact dollar amount or delay time or some other metric is rather difficult and impractical in real life.
For example:
Objective: Launch a new product by Dec 20XX.
Risk: Unable to implement technology within the time frame needed to support the launch.
If the technology cannot be updated in enough time, what is the impact or delay to the product launch?
On the low side, this could be a three month delay, and on the high side, it can be as high as nine months. Those are the outliers, or least likely, and while you should look at those, you should also pinpoint the expected delay should the technology upgrades not materialize in time.
Impact range could look like this:
As explained by Hans Læssøe in his book Decide to Succeed, the low end of the range will be the value where the company is 95% certain the actual value will be above. There are some circumstances where an 80% certainty will be sufficient for decision-making, and others where a 99% certainty will be needed.
Conversely, the high end of this scale is 95% certainty the actual will be below the stated value. In the case of our product launch, a nine month delay would be pretty significant, but highly unlikely since most would probably not let things get that bad.
Lastly, an expected or median impact represents the most likely delay and is generally the value of the single point estimate that you started with.
In other words,
Note that the expected value is the median, not the average (or mean). The median is the middle point of a data set, where half of the data points are smaller and half of the data points are larger. The average (or mean) is the ratio of the sum of the number of a given set of data points to the total number of data points presented. Big difference.
If you have actual numbers (which according to author Douglas Hubbard, we have more than we think do), you should integrate the actual numbers into the low, high, and expected ranges. As he discusses at different points in his books How to Measure Anything and The Failure of Risk Management, the purpose is not to eliminate all uncertainty, which would be impossible. Instead, it is to reduce it to a level that leads to the proper decision.
Whichever risk assessment approach you choose, remember that you’re not looking at risks in a vacuum…
Wrapping up, the approach you ultimately choose should not be a carbon copy from a framework or what other organizations are doing, but rather something tailored to your company’s specific needs and culture.
And regardless of the chosen approach, nothing in a business occurs in a vacuum, so why should your risk assessment? You cannot, and should not, look at risks in isolation because business doesn’t work that way. How can you determine the impact a risk will have if you don’t know what the risk is related to?
Also, in the next phase (risk analysis and prioritization), this connection will enable you to better understand how one risk could impact other risks should it occur, among other things.
It’s hard to say what the most critical phase of the ERM process is – they all are equally important. Without reliable information about a risk in the form of impact, likelihood, and other parameters, it will be impossible to understand which risks deserve the most attention and which ones do not.
It is like driving in the pouring rain on a busy highway…possibly leading to some catastrophic consequence(s).
What approaches does your company take to solicit information about risks to strategic and business objectives?
This is quite a complex subject that can be difficult to understand and implement, which is why learning others’ perspective can be so helpful. Share your perspective by joining the conversation on LinkedIn.
If your company is struggling to find the right approach to understanding the nature of risks in your company, please don’t hesitate to reach out to me today to discuss your specific situation and potential paths to finding a solution.