Now that you have a clear picture of your company's risk, you don't have to let it keep you up at night. With an airtight risk assessment process and matrix, you'll be equipped to heed any warning signs before they come to fruition. There are events that may trigger the need for a refresh, such as establishing an enterprise risk management (ERM) program, a major merger or acquisition, or a material weakness within your internal controls environment. Risks are occurring all around us, and the matrix should reflect this. Taking care of your risk assessment matrixĪlways remember that the risk assessment matrix is a living, breathing document that needs to be nurtured and maintained. Sharing the risk: This risk could be shouldered by multiple teams or groups in the companyĪvoiding the risk altogether: Let's not come near this one Reducing the risk: This risk is a little steep, and we should take steps toward minimization ahead of time There are many ways to respond to risk, and each identified risk can be addressed in one of four ways.Īccepting the risk: This risk is tolerable, and our company can surmount it And, as I mentioned in step four, that requires some expert judgement-some of which might not entirely be up to you. Now that you have identified the risks, you now need to figure out what to do about them. Assessments that are only performed once a year, or not at all, have emerging risks that could go unnoticed, undetected, or may not even be considered. The matrix should be changing consistently with your company's risk environment. Remember: The risk assessment process should be done multiple times a year. Expert judgment is involved in risk assessment and prioritization techniques to identify potential impacts, define inputs, and interpret the data. If these last two steps sound subjective-that's because they are. In other words, prioritizing risk accounts for the impact, possibility, and importance of the risk, and outputs a plan. In the last step, we're going to compare the different levels of risk (from step three) to the target risk criteria (from step two). Most organizations use a common, three-part "High, Medium, and Low" scale at this stage, but taking a more granular approach could be beneficial to your organization-expanding the scale to "1–5," for instance. If the identification step was qualitative in nature, this step includes a quantitative analysis of the most important risks. (Well, as fun as a risk assessment matrix can be.) We're going to assess the risks based on the criteria we laid out in the previous steps. This next step is where things start to get fun. After all, you can’t manage what you can’t measure. This is a critical step, as these criteria will drive the discussions throughout the rest of the process.īeware of underestimating the importance of reaching consensus on the criteria. However, some organizations may add other factors such as vulnerability and speed of onset. Here's one way that I would organize my risks:īefore assessing each risk, you’ll want to develop a common set of factors to help evaluate your organization's risk universe.Ī typical risk assessment matrix uses two main criteria: This helps me narrow the focus down after a broad brainstorming session.Īdditionally, your risk universe will contain concerns specific to your industry, along with concerns unique to your company. Now, let's get the creative juices flowing!įrom my own personal experience, I like to start with high-level risk categories that align to business functions, and then drill down to specific processes within those functions. These brainstorming sessions will generate a list of ideas that will serve as the foundation of the risk assessment matrix. The most effective way to do this is with free-flow brainstorming sessions. To start off, you'll want to make sure you cast as wide a net as possible. The goal with this first step is to capture the full scope of the present risk. But I’d like to offer a simplified view without a bunch of mathematical computations. The risk assessment process may seem like an intimidating process.
0 Comments
Leave a Reply. |