Risk Analysis is the second of three phases that make up a Risk Assessment.
What are the other two phases?
Risk Identification - Managers identify the risks to achieving business objectives, describe the risks, and assist in classifying them into appropriate risk categories.
Risk Evaluation - The Risk Management Committee (RMC) compares the risks to the relevant Risk Tolerances and prioritizes risks for treatment.
The Role of the Workgroup in Risk Analysis
Risk Analysis – The risk management Workgroup characterizes the risks, classifies them, and quantifies likelihood and impacts.
The Risk Analysis phase builds directly on the results of the Risk Identification phase. Conducted by the Workgroup, this phase involves a body of managers with detailed, day-to-day knowledge of the operations and risks of the organization. The Workgroup will have representation from various business units, departments and common support functions. A very important segment of this representation will be that of the compliance functions: internal audit, SOX administration and regulatory compliance.
Characterizing and Measuring Risk
The Workgroup will consult the managers who identified risks for their respective areas. It will also leverage the operational expertise of these managers for the two main tasks of Risk Analysis.
The first task is that of characterizing each risk so that it may be classified into the appropriate category of risk. A typical roster of risk categories is shown in the chart below.
The second task is that of determining the Likelihood and Impact of each risk. A very common ranking system is a “five-by-five” scale for Likelihood and Impact. Likelihood can be assessed on a scale of five from rare to almost certain. Impact can be assessed on a scale of five from negligible to severe. A simple multiplication of the two ranks yields a score for the risk. This ranking system is depicted in the chart below.
This ranking system is what allows risks to be compared on a common basis across the organization.
Likelihood and Impact can often be measured in quantitative terms. Likelihood may lend itself to being measured as a one in two chance of happening (50%) or a one in five chance of happening (20%). Impacts may lend themselves to ranges of dollar amounts, e.g., negligible impact is under $1,000,000 while severe impact is determined to be greater than $50,000,000.
Some types of risks do not lend themselves easily to quantitative measures. Qualitative measures have to be devised for these risks. The designers of the ERM program have to take great care to ensure that these qualitative measures (1) will be meaningful to the users and (2) will be interpreted similarly by each user. The National Institute of Standards and Technology created an excellent example of qualitative scales for likelihood and impact of cyber threats. (The ALS Group added the prompts for dollar amount impacts.)
Taking Risk Treatment into Account: Inherent Risk versus Residual Risk
As risks to the organization are identified, it will often be apparent that they are already being addressed in some fashion. For example, a risk of loss of inventory in transit may be insured or safety precautions may mitigate dangers in a warehouse.
A later post in this series will address risk treatments in greater detail. In this post, we want to briefly reference risk treatment to illustrate a concept. That concept is the difference between assessing the inherent risk versus assessing the residual risk. What do these terms mean? Let us use the potential inventory loss example to illustrate these terms.
The value of the inventory in transit may be major. Also, perhaps the shipping route poses a moderate danger of a loss occurring. Using our five-by-five rating system above, we can see that a major impact coupled with a moderate likelihood may indicate a significant risk. But what of the insurance coverage? Adequate insurance may indeed reduce the impact of the risk from major to negligible. The likelihood of the occurrence remains the same — moderate — but the great reduction in the impact reduces our potential loss to an acceptable level. The assessment of likelihood and impact before any consideration of the insurance coverage renders a score for the inherent risk. The assessment of likelihood and impact after treatment of the risk - - the insurance coverage - - renders a score for the residual risk. Having measures for both inherent risk and residual risk allow the organization to assess the value of each risk treatment. In our example, the insurance coverage proved to be a very valuable risk treatment.
Knowing the value of each risk treatment allows the organization to optimize its risk response. For example, the organization can choose the most effective potential risk treatments or it can choose to discontinue an existing risk treatment in favor of a more effective one.
Risk treatment entails an important role for Internal Audit. An effective and well-integrated ERM program will incorporate the testing of risk treatments into the annual audit plan. Internal Audit will test for compliance with the adopted risk treatments and the effectiveness and efficiency of the risk treatments.
The Risk Register
Risk Analysis provides the Workgroup with the information it will capture in the Risk Register. The Risk Register is the heart of the ERM process. In the first post of this series, we identified a major strength of ERM as being its “portfolio view” of risk. The Risk Register is that portfolio. It captures the information we discussed above - - risk categories, risk characterization, treatment, likelihood, impact, inherent risk, residual risk - - and also records the assignment of a risk owner to oversee the management of the risk. The sample of a Risk Register to the right shows how these elements might appear in a typical Risk Register.
This Risk Register allows the Workgroup and the RMC to do the work of the next phase of Risk Assessment – Risk Evaluation. In the Risk Evaluation phase, the RMC, with the assistance of the Workgroup, will compare risks and treatments and analyze relationships and potential synergies between risks and treatments.