Step 4: Conduct the Initial Enterprise-wide Risk Assessment & Develop an Action Plan
In many ways, this step is the heart of the initial Enterprise Risk Management process. The focus here is to gain an understanding of and agreement on the organization’s top risks and how they are managed. The assessment is a top-down look at the risks that could potentially be most significant to the organization and its ability to achieve its business objectives. While any organization faces many risks, the starting point is to get a manageable list of what are collectively seen as the most significant risks. Here, members of the risk committee or working group can be most helpful by sharing their views or identifying people in the organization who should be involved in the risk assessment.
While there is no one best way to conduct a risk assessment, many organizations start by obtaining a top-down view of the most important risk exposures from key executives across the organization. This is typically accomplished by starting with a discussion of the organization’s business strategy and its components and then identifying the principal risks that would impede its ability to achieve its strategic objectives.
An alternative is to discuss the strategies and risks of each of its major business units.
The organization should then consider prioritizing or ranking the risks identified. This step could be accomplished by a simple ranking of the perceived level of inherent risk or by a more detailed assessment of the probability and impact of each risk. Consider using a basic scale of high, medium and low for each inherent risk as a starting point rather than quantification or modeling. Again, during this initial assessment, many organizations find good discussion and simple classifications helpful. As a result of some of the large and unexpected risks that have manifested themselves lately, some organizations are now expanding their impact and probability assessments to include other factors.
Examples of these new factors include assessing the velocity of a risk or the level of preparedness of the organization for that risk. The organization also needs to assess its risk responses related to identified risks and develop action plans to address any gaps that are beyond those acceptable. Typically, action plans stemming from the initial risk assessment would identify gaps in the existing risk management processes related to the risks identified and detail specific ways to address those gaps. The initial risk assessment exercise is also a time to initiate discussions about the organization’s risk appetite relative to the risks identified.
Some executives find it difficult to articulate, much less discuss, their organization’s risk criteria or sometimes called as risk appetite. To overcome this challenge, consider focusing initially on qualitative or narrative descriptions of the risk criteria or risk appetite, (e.g. the organization may have zero tolerance for anything related to customer or employee safety).
Management can facilitate the discussion of the risk criteria or risk appetite by identifying types of activities or products that they will or will not undertake because of the perceived risks. Alternatively, they may discuss how risk aggressive or conservative they want to be compared to their peers or competitors.