Every organization has significant risk exposures. The question is, does executive management and the Board of Directors really know what they are?

For many companies, the enterprise risk assessment (ERA) process focuses on the severity of impact of potential future events on the achievement of the organization’s business objectives and the likelihood of those events occurring within a stated time horizon. Developing risk maps, heat maps and risk rankings based on these subjective assessments is common practice. Encompassing an evaluation of available data, metrics and information, as well as the application of judgment by knowledgeable executives, the ERA process is intuitive to most people and provides a rough profile of the enterprise’s risks.

But there are some issues with the traditional risk-mapping approach:

  • As the process is often influenced by past experience, it may allow individual biases to affect the assessment, foster “groupthink” and pre-empt out-of-the-box thinking. When scales are used, assessments by unknowledgeable participants often are “middle of the road,” skewing the resulting intersections on the map. These intersections are nothing more than mean averages of sometimes widely dispersed views – they do not necessarily represent a true consensus of the participating evaluators.
  • The process is a linear, point-in-time assessment that doesn’t address the unique characteristics of the company’s risks. Said another way, the process subjects risks with different characteristics and time horizon considerations to a common analytical framework. While this process may be convenient, it is not robust enough to add value continuously over time.
  • The process doesn’t provide much direction to the appropriate risk owners as to the appropriate risk responses. It is not uncommon for risk owners to express frustration with the lack of actionable insights emanating from the process. The point is, it is not unusual for traditional risk assessments to hit a wall, leaving decision makers with a list of risks and little insight as to what to do next. Over time, a common complaint is that risk assessments rarely surface an “aha!” that alters senior management’s view of the world.
  • The process offers virtually no insight as to what to do about exposures to extreme events, the so-called “high-impact, low-likelihood” risks in the upper left corner quadrant of the map. Interestingly, these events are often the ones that cause the most damage if and when they occur unexpectedly, particularly if the organization is unprepared.

There is a place for traditional risk assessment approaches when creating awareness and obtaining a quick overview of risk. However, an important question arises: Should the ERA process view all risks through the lens of the same assessment methodology? As traditional approaches lose their utility over time as a source of fresh insight, it may be time to consider more robust assessment mechanisms that consider the unique characteristics of different categories of risks – strategic, operational, financial andcompliance.


Strategic uncertainties are the risks that the business model is not effectively aligned with the strategy and that one or more future events may invalidate fundamental assumptions underlying the business strategy and management’s long-term outlook. These risks relate primarily to the external environment (e.g., competitors, customers, technological innovation, regulators, etc.) and warrant the use of a contrarian analysis approach applied to the critical assumptions underlying the strategy, consisting of four steps:

  1. Define the critical assumptions underlying the strategy.
  2. Develop contrarian statements describing potential scenarios that could invalidate one or more strategic assumptions.
  3. Use scenario analysis and stress testing to select the contrarian statements that are most likely to have the greatest impact on the validity of the company’s strategy if they were to transpire.
  4. Articulate the implications of high-impact contrarian statements to pinpoint the trending indicators and other metrics the organization can use to monitor the environment for signs the scenarios of most concern are either developing or have occurred.

Strategic uncertainties are often about disruptive change. Time to act on strategic risks is a precious asset in a dynamic environment. It arises from timely recognition and enables management to capitalize on critical opportunities and risks arising from disruptive change. With the speed of disruption increasing, time to act provides management with the ability to face the future with confidence by identifying emerging trends and formulating options to address those trends in the cool of the day rather than under fire.


These risks pertain to one or more future events impairing the effectiveness of the business model in creating value for customers and achieving expected financial results. These risks require an extended end-to-end view of the enterprise, considering their impact across the value chain.

With this perspective in mind, root causes of significant performance gaps are assessed and process improvements are identified and implemented. This end-to-end enterprise perspective places importance on extended business relationships – upstream to suppliers and suppliers’ suppliers and downstream to channels, customers and ultimate end-users, as well as the logistics connecting all points along the value chain – in addition to internal processes, personnel and systems. The analysis is directed to understanding the risk of loss of any of these key links in the chain, as well as the exposure to disintermediation if the organization is a key intermediary between producers and the ultimate consumer.

Assessment of these risks include considering such questions as:

  • What would happen if any of these vital operational components were taken away, through either failure or an unexpected catastrophic loss?
  • What is the velocity or speed-to-impact of these risks, including whether the loss of any critical component can occur without warning? Would it smolder or would it be sudden?
  • What is the persistence of the impact of these risks? What is the duration of time before the loss of the component can be replaced?
  • What response plans are in place to address the loss of a critical component for an indeterminable period of time?
  • What uncompensated risks do we face across the value chain (e.g., environmental, health and safety), and how well are we managing them?
  • Are there opportunities for our positioning within the value chain to be supplanted by a competitor or an alternative business model (e.g., an Internet-based model that sells direct to customers)?

Note that likelihood of occurrence is not as significant a factor in evaluating exposure to catastrophic events as the enterprise’s response readiness. How resilient is the company in responding to a catastrophic event? The above operational risk analysis is the point at which risk assessment begins to intersect with business continuity planning and crisis management.


Financial risks pertain to cash flows and financial risks not being managed cost-effectively to:

  • Maximize cash availability and minimize liquidity risk;
  • Reduce uncertainty of currency, interest rate, credit and other financial risks; and/or
  • Move cash funds quickly and without loss of value to wherever they are needed most.

Due to their nature, these risks are more susceptible to the use of measurement tools and techniques, including financial modeling, scenario planning, value-at-risk frameworks and ongoing monitoring against budgets and forecasts. Techniques for evaluating financial risks include assessments of exposure of financial and physical assets to loss and susceptibility of operations to disruption. While some of these techniques may facilitate the assessment of strategic and operational risks, their primary focus on financial risks is two-fold – managing liquidity and delivering expected financial results.


These risks are the risks of noncompliance with laws, regulations, internal policies and/or contractual arrangements resulting in penalties, fines, increased costs, lost revenues, market sanctions and/or reputation loss. They require analysis of the organization’s conformance with these requirements and arrangements. In lieu of mindless guesswork on probabilities, companies should consider the effects of noncompliance events in terms of the following factors:

  • The adequacy of the organization’s policies, procedures and culture around compliance from a regulatory and an industry standpoint (which is a separate conversation in and of itself that we can reserve for another blog);
  • The impact on reputation (e.g., fines, penalties, loss of revenues, legal fees and other costs), loss of market capitalization, loss of markets, the “spotlight attraction” effect, etc.;
  • The velocity or speed-to-impact, including whether the effects of noncompliance can occur without warning and how quickly the effects can escalate and gather momentum, attracting media and regulatory attention;
  • The persistence of the impact (i.e., the duration of time over which the noncompliance event will affect the company); and
  • The enterprise’s response readiness (i.e., the resilience of the company in responding to a noncompliance event).

While the frameworks for evaluating compliance and operational risks may appear to consider similar factors, the key distinction for assessing operational risks is the use of a boundaryless view of the enterprise. There are, of course, exceptions to this general rule; for example, third-party agents can implicate the companies for which they work. Of course, tolerance for compliance violations versus operational risks is a completely different discussion.


In today’s rapidly changing business environment, an ad hoc perspective and/or oversimplified assessment grid applied to the enterprise’s risk exposures is inadequate. Robust approaches applied to different risk categories according to the underlying risk characteristics help identify the top risks within those categories. Those approaches should then feed management’s consolidation process for formulating an enterprise-wide risk profile merging the top risks in each risk category to provide a consolidated summary of the vital few critical risks.

Applying analytical frameworks best suited to address the unique characteristics of the risks the company faces is an efficient and effective approach to integrating risk management with the core management processes of the business. By engaging the appropriate managers who are best positioned to own the risk assessments using analytical frameworks they understand – and most importantly, use – it increases the likelihood they will act on the assessment results.


Jim DeLoach has more than 35 years of experience and is a member of the Protiviti Solutions Leadership Team. His market focus is on helping organizations succeed in responding to government mandates, shareholder demands and a changing business environment in a cost-effective and sustainable manner that reduces risk to an acceptable level. He also assists companies with integrating risk management with strategy setting and performance management. Jim also serves as a member of Protiviti’s Executive Council to 

Download File