enterprise risk management risk identification and assessment

‚ÄčIt is important for business owners, boards and managers to have a detailed understanding of all the risks their business faces.  This should include all strategic, financial, and operational risks.  To do this effectively, there needs to a rigorous and documented risk identification, assessment, and management regime in place.

Strategic Risks are larger, macro and often enterprise-wide risks that can affect the shape and nature of a significant part of a firm’s or organization’s businesses.  This can be over a short-, medium- or long-term time horizon. Strategic risks impact a businesses’ activities and will affect its ability to achieve its longer-term business and financial goals. The risks can be external or internal risks. They are often not be within the firm’s or organization’s control.

Financial Risks are those risks that have a direct impact on the financial position of the firm or organization. Risks in this category can impact can be on its earnings, cash flow, liquidity, debt maturity profile or balance sheet. The impact of Financial Risks will be also be over the short-, medium-, or longer-term, the firm’s or organization’s ability to achieve its longer-term business and financial goals.

Operational Risks are a category of risks that will occur in the day-to-day operation of the firm’s or organization’s business activities. There are often many and they will usually give rise to a range of consequential regulatory, operational and/or financial risks. They can be small, micro and isolated risks in the myriad of activities a firm or organization is involved in or enterprise-wide risks (but operational in nature).

Organizations face numerous risks. For larger businesses, organizational complexity also brings with it a multitude of risks. The task of identifying and assessing risks alone is challenging, let alone thinking about how to mitigate a myriad of risks that are identified.

For organizations commencing implementation of a more holistic or enterprise-wide approach to risk management for the first time, the following four steps should be undertaken.

Conduct a Workshop

Use the 52 Risks® framework to systematically go through each Strategic, Financial and Operational Risk. Discuss each risk category, identify the key business risks in each category (there is often more than one), rate each risk and agree on any action to be taken. This can include additional work on understanding a business risk more.

The 52 Risks® website has a template for mapping the risks that can be used for this exercise. Click here for the template.

Establish a Formal Risk Register

This is a register of key business risks in each risk category (use the 52 Risks® framework as a starting point). This will assist both the identification of key business risks and, as each is assessed, ensure action is taken as appropriate.

Develop a Risk Management Strategy or Action Plan

Using the outputs of any initial risk management workshops and the existing understanding of the business, either write a Risk Management Strategy for the firm or simply prepare an initial Action Plan. A list of things to be done – detailing by when and by whom – will often suffice.

The strategy or action plan should document the key business risks that the company needs to manage, and the proposed business strategies and actions.

For larger, more established businesses this should document any risk management processes in place, key business polices and roles and responsibilities for the management of business risks.

Monitor Progress and Actions

Once the risk identification and assessment exercise has been completed and action plans are in place, it is important to monitor the plans to address the key risks. Ensure that risk owners have a full understanding of the risks and are resourced to manage these. It is important to bring to life risk mitigation initiatives, rather than have the risks remain in a report not addressed or mitigated.

#strategicrisks #financialrisks #operationalrisks #enterpriseriskmanagement