As governance codes evolved and gave an increased focus on risk management, many organisations instituted risk management procedures. However, these were often divorced from the day to day activity of the business, both in terms of the process and the types of risk identified. A risk review was undertaken, a risk register developed, and key risks identified. These were presented to the audit committee and the board, then put on the shelf until it was required to be looked at the following year but never integrated into the management process.
While the disjoint between what the board and audit committee saw and the reality of risk management in an organisation has improved, are all organisations getting the best from their risk management processes? For entities that are not required to have a governance process could they benefit from a risk review?
The Risk Review
The key to an effective risk review is to keep it simple. There are only a limited number of risks that can be focussed upon at any one time so it is important that they are the key ones. In evaluating risks, most use some form of scoring based on the severity of the impact and the likelihood of occurrence. The product of the two gives the risk score. Risks greater than a certain value are determined key.
Who Should Be Involved In Performing A Risk Review?
The key for a good risk review is having the people with the knowledge of the key business areas involved. It is important that participants are honest when performing a review and do not simply give the answers they think the boss wants to hear. The use of an independent facilitator can be of benefit – it may be that the CEO should be excluded from the intial meeting if it was felt that the result could be influenced.
Should The Review Be Top Down Or Bottom Up?
The advantage at starting at the top is that input of senior people can bring a focus onto the areas that are of critical importance. As the process moves down, the focus may change and while risks at that level may be important they have to addressed in the context of the overall organisation. At the very bottom level, the internal control network should provide the building blocks for mitigating against risk.
Where Should You Start?
First, the key objectives of the business should be known, it is against these that risks should be assessed. The key question should be; “what will put me out of business?”. The answer may be as simple as “no sales”. Management of that risk would then expand to look at sales strategies and even areas such as product development. Once the risks are evaluated, the conclusion may be that the risk is well controlled or that steps have to be taken to control it. The areas to be addressed can be broken down over headings as suits the business – e.g. operations, finance and reputation.
Identifying the risks can be the easy part, evaluating the impact, frequency and how controls mitigate them can be more difficult. One of the key aspects is ensuring that the controls identified as mitigating the risk are tested as working and effective. Too often a control is identified but not proven.
Ensure You Benefit
Before starting a risk review, ensure that the process is well planned and that the right people are involved. Once the risks are identified, ensure that the relevant people are aware, that the controls are operating and the there is on-going monitoring. The process must be dynamic.