Risk Assessment Template Best Practices
Steven Minsky | March 5, 2012
Risk assessments are plagued by subjectivity which means they simply cannot be relied upon to meet their objective. Subjectivity prevents the risk assessments from being used across business silos and makes verification by audit or compliance review impossible. Subjectivity can be overcome by using a risk assessment template framework with the following best practice attributes:
- Adopt a uniform numerical scale –Use a scale of 1 to 10, Scoring is based on a scale from 1 to 10, with 10 having the most unfavorable consequences to the organization, split into 5 buckets to provide a high and low of each bucket. (1-2, 3-4, 5-6, etc). Using a 10 scale makes the math easy and having only 5 buckets gives folks doing assessments flexibility to select the high or low of the 5 buckets.
- Define objective evaluation criteria – Often, one person’s 9 is another person’s 7. You need to provide clear definition on what each of the 5 buckets are in unambiguous terms. You can chose multiple ways of expressing severity, both qualitative and quantitative, such as financial, legal, strategic, etc., yet only one of the criteria listed for a specific level has to be met in order to rate a factor at that level. Any set of standards can be compared, including laws, regulations and corporate policies and procedures, with current practices. Any qualitative criterion can be given a score to become quantitative and comparable across the enterprise.
- Calibrate assessment criteria – Although a variety of risk assessment criteria is used, all these should be on a 1-10 scale and calibrated, meaning that the description of a 7, even if described differently in different risk assessment criteria has the same meaning of severity. This allows the aggregation of assessments to provide a holistic view of risk.
- Use universal business elements – Break down risk assessments into basic elements like business processes and resources that are standardized across business silos, or business units. Risk assessing vendor characteristics separately from the products and services they sell will produce risk assessments that make it easy to identify and maintain objectivity as changes occur like mergers and acquisitions or new product introductions, etc..
- Link risk assessment templates – Link elements together, meaning connect vendors to the products and services they provide to the business processes that rely upon them. Link each financial element to the business processes that contribute to them. Link all of the internally developed applications and data repositories to the business processes that rely upon them to perform their responsibilities.
Linking these elements together enables risk assessment data to then be easily aggregated and reported using these linked relationships to provide a holistic picture of all your risk assessment template results. For example, a vendor can have multiple products and services of different quality and risk. Risk assessing the products and services individually and linking those assessments to the vendor profile provides a much clearer picture on the combination of products services and vendors used by a processes owner.
The result is a single overall summary score for each business process that combines the individual scores for each resources and financial item associated with that process and the process score itself. With this information, you can prioritize and focus your ERM efforts.