ERM | RISK ASSESSMENT PHASE THREE: RISK EVALUATION

In our two most recent posts in this series, we addressed the first two phases of Risk Assessment: Risk Identification and Risk Analysis. This post looks at the final phase, Risk Evaluation.

The Risk Evaluation phase is addressed by the Risk Management Committee (RMC), a group of key executives responsible for the organization’s operations and performance. In the Risk Evaluation phase, the RMC ultimately determines which risks are at acceptable levels and which risks need further treatment to get them to acceptable levels. The following table illustrates the range of treatments that the RMC can consider.

The RMC will perform several tasks to determine which risks are at acceptable levels or not. The RMC will aggregate risks by objective, establish risk owners, confirm risk ratings, balance risk and reward, and prioritize risks for treatment.

Aggregating Risks by Objective

The RMC considers collections of risks for each business objective of the organization. Objectives can be defined in any number of ways. Examples of objectives may include a profitability percentage for a business unit, a re-engineering of a process, the introduction of a new product or the rollout of an initiative. Each of these objectives may entail a collection of risks that cuts across a number of parts of the organization. For example:

• The achievement of a profitability objective may entail risks associated with equipment procurement, maintenance, hiring and retention, sales and accounts receivable management;
• The introduction of a new product may present a revenue risk to the strategic plan, a technology risk for operations and a reputation risk for the marketing department.

The aggregation of risks by objective is a hallmark of ERM and accomplishes two important things. First, this aggregation by objective enables the RMC to analyze relationships among risks Second, the linking of risks to objectives ensures that that the prioritization of risks will reflect the organization’s prioritization of its objectives.

Establishing Risk Owners

The RMC will assign risks to “risk owners.” These risk owners are the managers or directors who are best positioned to understand the relevant operations, oversee the treatments and periodically revise the likelihoods and impacts of the risks. Risk owners must also be able to identify new and emerging risks within their areas of expertise. Risk owners will report on risks and treatments both to the Workgroup and the RMC so, in addition to understanding the operations the risks, they must have the ability to render that information in a readily understandable form. This is a particularly demanding skill when the area of expertise involves highly technical or esoteric bodies of knowledge such as information technology, engineering or financial derivatives. The risk owners will draft the rationale that explains the inherent risk score to the RMC and the Workgroup.

Confirming Risk Ratings

While risk owners and the members of the Workgroup have expertise in the determination of likelihoods and impacts of risks, the RMC is charged with vetting, revising and confirming the risk scores. The RMC members must have sufficient expertise to examine the assumptions and calculations underlying the initial scores presented to them.

The RMC will also confirm that potential impacts and the related risks are both measured in same way. For example, the success of an initiative to contain costs may be measured in terms of changes to the Gross Margin. Hence, the potential impacts of the risks to that objective should also be measured in terms of changes to Gross Margin. The use of a common unit of measure results in greater alignment of the risk with objective. The table below suggests risk measurements for an entire range of risk categories.

Balancing Risk and Reward

The RMC will choose among risks by considering positive outcomes as well as negative ones. In the example above of introducing a new product, there is potential to surpass projections for gains in revenue, market share and profitability as well as potential to fall short. The RMC has the task of weighing the probability and magnitude of positive outcomes against the likelihood and impacts of the risk events.

Prioritizing Risks for Treatment

The RMC establishes Risk Tolerances for the business objectives. Risk Tolerance is the amount of risk that the organization determines it can bear. In terms of balancing risk and reward, Risk Tolerance is the amount of risk that is justified by the potential rewards. Risk Tolerances will expressed using the same measurements that were chosen to express the risk impacts. For example, in the table above, we suggested that impacts of market risks may be measured in terms of the quantity of leads and the ratio of leads to sales. If those are the chosen measures for the impacts, then the tolerances for those risks will be expressed in those same terms.

The RMC compares “residual risk” (for a refresher on residual risk versus inherent risk, see our Risk Analysis blog.] to the Risk Tolerance and determines the appropriate treatment. Recalling our Range of Risk Treatments table above:

• Where the risks for objectives are within the respective Risk Tolerances, the treatment decision is an easy decision; the organization will accept the risk;
• Where risks for objectives exceeds the respective Risk Tolerances, the RMC has to determine which ones it will reduce or transfer (e.g. implementing new safety precautions, purchasing insurance, subcontracting) and which ones it will have to avoid by foregoing the opportunities.

This is where the ERM concept of prioritizing objectives and risks value for the organization. The RMC can avoid risks that yield inferior payoffs and instead concentrate time, effort and funds to reducing or transferring risks of objectives that yield the most rewards.

Using our example of the initiative of introducing a new product, we can illustrate the range of treatments.

• If the residual risk falls within the Risk Tolerance the RMC has set, the RMC will accept the risk and greenlight the introduction.
• If the collective risk of all of the negative consequences exceeds the Risk Tolerance, the RMC may employ one or two treatments to bring risk down to an acceptable level. The RMC may transfer the technology risk by investing in the outsourcing of the technology development. Alternatively, the RMC may reduce the reputation risk by augmenting the marketing department with additional marketing experts. Or the RMC may choose both treatments.
• Finally, if the organization cannot afford the treatments that would bring risk down to an acceptable level, the RMC will avoid the risk by choosing to forego the introduction of the new product altogether.

The Risk Register – The Heart of ERM

Throughout this risk evaluation process, the invaluable tool will be the Risk Register – a repository for the risk information that the RMC and the Workgroup will continually use. This is the sample of a Risk Register that we introduced in our Risk Analysis post.

It is easy to see now how the Risk Register houses the complete portfolio view of an organization’s risk. All of the items we discussed above come together in the Risk Register: Risk Category, Risk

Owner, Risk Rationale, Inherent Risk, Risk Treatment, Residual Risk. The Risk Register provides easy reference to the data needed for comparing and prioritizing risks, discovering relationships among risks, and discovering synergies among risk treatments.

The Takeaways

The methodical, analytical approach to Risk Evaluation minimizes subjectivity and uncertainty and unlocks value for the organization. The key to success in Risk Evaluation is compiling an effective, comprehensive Risk Register.

Contact us for help with turning a collection of uncertainties into an organized portfolio of risks and opportunities.