Regular risk assessments are one of the most important pillars of any risk management department. Although performing business risk assessments is now considered best practice, it’s easy to overestimate their comprehensiveness. As a result, some risk managers are doomed from the start to mediocre results.
For a quick check on the adequacy of your risk assessments, determine how many of the following 5 best practices your program has ingrained in its ERM process.
See the graphic below to learn our 5 tips for more effective risk assessments:
- Adopt a root-cause approach: Root cause tells us why an event occurs and is the most effective way to collect risk data. Using the five root source categories (External, Process, Systems, People, Relationships) will help determine the most effective risk mitigation strategies.
- Standardize assessment scale and criteria: The biggest barrier to effective risk assessments is subjectivity. Subjectivity prevents assessments from being useful across multiple business silos, even when relevant. Standard, enterprise-wide scale and criteria make assessments applicable to every department, minimizing duplicative work.
- Link risks to action plans: Once risks have been identified and evaluated, the next step is assigning them action plan strategies (also known as controls or mitigation activities). Even if multiple risks are linked to the same mitigation, formalizing this step is the only tried and true way of ensuring activities neutralize the root cause. Without proper links, controls might mitigate a symptom rather than the source, and turn into form-over-substance activities. Also it is impossible to evaluate the effectiveness of a control without knowing the risk that the controls is managing.
- Connect risks to strategic goals: Identifying your organization’s most important goals is an indirect yet important facet of risk management; it is difficult to ensure strategic goal achievement if you don’t know what the risks are at the operational level. Identifying your organization’s most important strategic imperatives is an indirect yet important facet in risk management; it is difficult to ensure strategic goal achievement if you don’t know what the risks are at the operational level. After identifying your most critical strategic goals, linking them to the root-cause risks from Step #2 will enable you to identify and prioritize vulnerabilities and build the business case for getting resources to address these vulnerabilities.
- Embed ERM in everyday activities: Simply put, risk should be a part of everyone’s job responsibility. You should begin integrating a risk-based approach, or what we refer to as enterprise risk management (ERM), into everyone’s day-to-day activities by starting with your own area. All surprises in business are bad, from minor surprises like missing a deadline to major surprises like audit findings, budget over-runs or regulatory scrutiny.