UNDERSTANDING YOUR RISK PROFILE
Every organization has significant risk exposures. The question is, does executive management and the Board of Directors really know what they are?
For many companies, the enterprise risk assessment (ERA) process focuses on the severity of impact of potential future events on the achievement of the organization’s business objectives and the likelihood of those events occurring within a stated time horizon. Developing risk maps, heat maps and risk rankings based on these subjective assessments is common practice. Encompassing an evaluation of available data, metrics and information, as well as the application of judgment by knowledgeable executives, the ERA process is intuitive to most people and provides a rough profile of the enterprise’s risks.
But there are some issues with the traditional risk-mapping approach:
There is a place for traditional risk assessment approaches when creating awareness and obtaining a quick overview of risk. However, an important question arises: Should the ERA process view all risks through the lens of the same assessment methodology? As traditional approaches lose their utility over time as a source of fresh insight, it may be time to consider more robust assessment mechanisms that consider the unique characteristics of different categories of risks – strategic, operational, financial and.
Strategic uncertainties are the risks that the business model is not effectively aligned with the strategy and that one or more future events may invalidate fundamental assumptions underlying the business strategy and management’s long-term outlook. These risks relate primarily to the external environment (e.g., competitors, customers, technological innovation, regulators, etc.) and warrant the use of a contrarian analysis approach applied to the critical assumptions underlying the strategy, consisting of four steps:
Strategic uncertainties are often about disruptive change. Time to act on strategic risks is a precious asset in a dynamic environment. It arises from timely recognition and enables management to capitalize on critical opportunities and risks arising from disruptive change. With the speed of disruption increasing, time to act provides management with the ability to face the future with confidence by identifying emerging trends and formulating options to address those trends in the cool of the day rather than under fire.
These risks pertain to one or more future events impairing the effectiveness of the business model in creating value for customers and achieving expected financial results. These risks require an extended end-to-end view of the enterprise, considering their impact across the value chain.
With this perspective in mind, root causes of significant performance gaps are assessed and process improvements are identified and implemented. This end-to-end enterprise perspective places importance on extended business relationships – upstream to suppliers and suppliers’ suppliers and downstream to channels, customers and ultimate end-users, as well as the logistics connecting all points along the value chain – in addition to internal processes, personnel and systems. The analysis is directed to understanding the risk of loss of any of these key links in the chain, as well as the exposure to disintermediation if the organization is a key intermediary between producers and the ultimate consumer.
Assessment of these risks include considering such questions as:
Note that likelihood of occurrence is not as significant a factor in evaluating exposure to catastrophic events as the enterprise’s response readiness. How resilient is the company in responding to a catastrophic event? The above operational risk analysis is the point at which risk assessment begins to intersect with business continuity planning and crisis management.
Financial risks pertain to cash flows and financial risks not being managed cost-effectively to:
Due to their nature, these risks are more susceptible to the use of measurement tools and techniques, including financial modeling, scenario planning, value-at-risk frameworks and ongoing monitoring against budgets and forecasts. Techniques for evaluating financial risks include assessments of exposure of financial and physical assets to loss and susceptibility of operations to disruption. While some of these techniques may facilitate the assessment of strategic and operational risks, their primary focus on financial risks is two-fold – managing liquidity and delivering expected financial results.
These risks are the risks of noncompliance with laws, regulations, internal policies and/or contractual arrangements resulting in penalties, fines, increased costs, lost revenues, market sanctions and/or reputation loss. They require analysis of the organization’s conformance with these requirements and arrangements. In lieu of mindless guesswork on probabilities, companies should consider the effects of noncompliance events in terms of the following factors:
While the frameworks for evaluating compliance and operational risks may appear to consider similar factors, the key distinction for assessing operational risks is the use of a boundaryless view of the enterprise. There are, of course, exceptions to this general rule; for example, third-party agents can implicate the companies for which they work. Of course, tolerance for compliance violations versus operational risks is a completely different discussion.
INTEGRATING THE COMPOSITE RISK PROFILE
In today’s rapidly changing business environment, an ad hoc perspective and/or oversimplified assessment grid applied to the enterprise’s risk exposures is inadequate. Robust approaches applied to different risk categories according to the underlying risk characteristics help identify the top risks within those categories. Those approaches should then feed management’s consolidation process for formulating an enterprise-wide risk profile merging the top risks in each risk category to provide a consolidated summary of the vital few critical risks.
Applying analytical frameworks best suited to address the unique characteristics of the risks the company faces is an efficient and effective approach to integrating risk management with the core management processes of the business. By engaging the appropriate managers who are best positioned to own the risk assessments using analytical frameworks they understand – and most importantly, use – it increases the likelihood they will act on the assessment results.
Jim DeLoach has more than 35 years of experience and is a member of the Protiviti Solutions Leadership Team. His market focus is on helping organizations succeed in responding to government mandates, shareholder demands and a changing business environment in a cost-effective and sustainable manner that reduces risk to an acceptable level. He also assists companies with integrating risk management with strategy setting and performance management. Jim also serves as a member of Protiviti’s Executive Council to