1

5 Steps for Better Risk Assessments

+1 617 530 1210 | logicmanager.com | info@logicmanager.com ©LogicManager, Inc.

1

Simply discussing high-level concerns with senior executives may have been sufficient 2-5 years ago, but growing expectations from all angles—the Board of Directors, regulators, investors, consumers, and more—mean risk assessments must directly increase business value and deliver more actionable results.

The reason expectations are rising is the See-Through Economy. This is what we call the current fast-paced aged of transparency we’re living in right now. With the click of a button, consumers can share their positive and negative experiences with a brand, which has put reputational risk higher up on the priority ladder.

The See-Through Economy isn’t all doom and gloom though. There’s a way to leverage our increased level of information access to anticipate and meet stakeholder expectations. It all starts with better risk assessments.

In this eBook, we’ll show you how to make your assessments comparable across departments and levels, as well as how to aggregate the information in a way that adds value to your business.

Introduction

Table of Contents2 Prioritizing Activities

3 5 Best Practices

4 Adopt a Root-Cause Approach

5 Root-Cause Categories 6 Root-Cause Example

7 Standardize Assessment Scale and Criteria

8 Link Risks to Controls

9 Connect Risks to Strategic Goals

10 Embed ERM in Everyday Activities

11 These 5 Steps in Action

2

Prioritizing Activities is the Key

At its core, the goal of risk management is to make better decisions to add business value. Better decision-making requires transparency into all risk information gathered at your organization. It also requires the ability to prioritize that information by assessing the risks related to organizational goals, resources, controls, and monitoring.

Business value means looking at where you spend time and money so you can prioritize resources and resolve confusing or contentious issues.

Nevertheless, controls, tests, tasks, and resources are very expensive. Risk assessments add priority to these activities, helping you understand how critical each one is.

If you are not prioritizing the right activities, then you’ll likely see these consequences:

Lack of Continuity

Changes in the organization or development of new business lines may result in new activities even though existing ones are more effective.

Lack of Coordination

Often, activities apply to multiple risks or commitments across functional lines. The inability to formally tie activities to risk or commitments hinders inter-functional coordination, resulting in business silos and duplication of effort.

Activity Fatigue

Staff may ignore certain activities because of a lack of time to assess them.

Wasted Resources

If a risk changes, most organizations have no way of knowing how (or even if) these changes will affect their resources and activities.

Activity Obsolescence

In a changing environment, there is no effective way to know when activities no longer apply.

Lack of Prioritization

Picking activities to focus on is likely to be on an ad hoc basis and subject to the whims of current staff.

3

1 Adopt a Root-Cause Approach

2

3

5 Best Practices

Throughout the remainder of this eBook, we will walk through these 5 best practices:

Standardize Assessment Scale and Criteria

4 Connect Risks to Strategic Goals

5 Embed ERM in Everyday Activities

Link Risks to Controls

By adopting a standardized and objective best-practice risk assessment methodology, you can start to identify the overlapping activities that crowd your program, prioritize actions, and help your organization make more informed decisions.

4

1. Adopt a Root-Cause Approach

The most effective way to collect risk data is to identify risk by root cause. Root cause tells us why an event occurs, which provides information about what triggers a loss and where an organization is vulnerable. Using root-cause categories provides meaningful context as to what steps to take to mitigate risk.

However, getting people to link root causes with outcomes is often easier said than done. Typically, executive management thinks in terms of events to avoid or achieve, depending on the effects of such events. Moreover, they want to be presented information about the events or outcomes they care about. You, as a risk manager, need to understand the root cause in order to ensure proper mitigating activities are taking place.

Outcome 1

Outcome 2

Root Cause 1

Root Cause 2

Root Cause 3

Mitigation Activity 1

Mitigation Activity 2

Mitigation Activity 3

Most assessments jump to the “what can go wrong” aspect of risk identification.

The “what could go wrong” is often a detailed effect or symptom. Understanding the root cause requires generalizing the problem at a higher level and identifying the drivers of the risk.

You can begin to implement this root-cause approach in a facilitated session. You can also use a system to prompt assessors about the root causes of their concerns, which helps implement a solution on an enterprise scale. As you work with process owners, begin to build your root-cause risk library, and try to reuse root-cause risks already identified by other business areas to help identify systemic risks throughout the organization, as well as areas of upstream and downstream dependencies.

5

Root-Cause CategoriesMany risk managers find it hard to engage multiple departments because they’re unfamiliar with risk management as a discipline and therefore aren’t sure how to communicate about it. As you can imagine, talking about the same root causes, outcomes, or mitigations in different ways can cause unnecessary road blocks.

Consider using these root-cause categories to build your risk library on.

ExternalRisk caused by outside people, environment, and other circumstances.

Examples: Fluctuations in economic markets, weather-related hazards or disasters, lack of public infrastructure

PeopleRisks involving people who work for the organization.

Examples: Misuse of confidential information, willful noncompliance with policies, lack of necessary skill sets

ProcessRisk arising from the organization’s execution of business operations.

Examples: Inadequate budgeting, missing documentation, lack of policies or procedures

RelationshipsRisk caused by the organization’s connection with third-parties.

Examples: Contracts are not reviewed properly, inadequate security protocols on third-party relationships

SystemsRisks associated with IT processes, security, data, or information assets

Examples: Data is inaccessible, failure to adopt new technology trends, inadequate system maintenance

6

Root-Cause Example

To demonstrate the value of root causes, let’s look at a brief example: fraud.

Say you have two people, an employee and a contractor, sitting side-by-side in the same room. One of them is committing fraud.

Your effective mitigation activity (if the employee is the culprit) will be getting HR involved. Your effective mitigation activity (if the contractor is the culprit) will be dealing with the third party.

What if it is a system or process that has a flaw that is allowing fraudulent activities to happen? It could be a matter of good people in a bad situation. Knowing the source of the risk is fundamental to your solution.

Outcome

Fraud

Mitigation Activities

HR

Mitigation Activities

Vendor

Mitigation Activities

IT

Potential Root Cause

Employee

Potential Root Cause

Contractor

Potential Root Cause

System Failure

7

2. Standardize Assessment Scale and Criteria

After you’ve created a system for labeling or identifying risk, you can move on to assessing the potential impact of each risk. A lot of organizations use a high-medium-low scale to assess their risks, but this actually isn’t best practice.

High-medium-and low scales make it difficult and time-consuming to quantify, aggregate, and objectively rank information. With only three options from employees to choose from, they’ll likely feel conflicted about which to one to choose. Many employees may even feel compelled to write in a medium/high option.

In reality, best practice favors a 1-10 scale, with 10 having the most unfavorable consequences to the organization.

Using a 1-10 scale makes calculating the residual index score of a risk more straight forward. Giving employees more flexibility in their assessments will increase accuracy, and more confidence when determining what your top risks really are.

/ 10 = 16.2

Residual Risk Score

8

How do you determine the priority of a SOX control vs. an operational policy vs. an insurance review?

You need defined evaluation criteria for these scales. Often, one person’s 9 is another person’s 7. You should provide a clear, unambiguous definition for each of the 5 buckets. The key is to express severity in both quantitative and qualitative terms (such as dimensions of finance, legality, operations, regulations, strategy, etc.) in a standardized way. Each bucket should have a variation of these themes applicable to each level of severity.

Only one of the criteria listed for an impact level has to be met in order to rate a risk factor at that level. For example, if an identified risk factor prevents the organization from achieving its strategic plan, rate the impact risk factor at the 9-10 level regardless if the risk factor has only a perceived minimal negative impact on sales.

Although a variety of assessment criteria is used, all categories should be on a 1-10 scale and calibrated, meaning the description of a 7 (even if described differently in other risk assessment criteria) has the same meaning of severity. This allows the aggregation of assessments to provide a holistic view of risk.

• Financial: Negative impact on net income – over $20 million

• Financial: Catastrophic impact on financial statements (e.g., critical contractual ratios are no longer met)

• Operational: Long-term impairment of critical functions make the organization vulnerable to forced sale of merger

• Regulatory: Regulatory agencies seize control of assets or are granted absolute decision-making authority

• Financial: Negative impact on net income – $15 million to $20 million

• Financial: Alternative financing (debt), sale or restructuring of the organization could be required

• Operational: Inability to remain competitive (e.g., lagging customer service, operational inefficiencies)

• Regulatory: Regulatory penalties are required

7 - 8Serious

9 - 10Major

1 – 2 Insignificant

• Financial• Legal• Operational• Regulatory• Strategic

3 – 4 Minor

• Financial• Legal• Operational• Regulatory• Strategic

5 – 6 Moderate

• Financial• Legal• Operational• Regulatory• Strategic

7 – 8 Serious

• Financial• Legal• Operational• Regulatory• Strategic

9 – 10 Major

• Financial• Legal• Operational• Regulatory• Strategic

9

3. Link Risks to Controls

Once you have identified the source of risks and assessed them objectively, you need to know how controls are actually covering risks.

Often, the knowledge of how the risk is mitigated is only a conversational explanation from the business area in facilitated sessions.

This is sufficient for some risks, but you want to make sure for a certain subset of your top risks that these mitigation activities are adequate.

Maintaining a system where risks are directly linked to their controls helps you maintain better governance over mitigation activities. With such a system, you have a valuable record of when and why different controls were created, as well as audit-able proof your business is working to manage risk.

10

4. Connect Risks to Strategic Goals

Getting an accurate pulse on strategic imperatives is challenging because these goals are cross functional in nature. And while they are extremely useful for the board and senior executives, they are impossible to act upon without operationalizing them (breaking them down into root-cause, silo-specific activities within business areas), and this is where risk management plays a role.

1. Link Risks to Goals

You need to connect risks to corporate goals. You can get these strategic goals from the strategic plans and other places within your organization. The next step is to identify a number of root-cause risks that could threaten to derail this corporate goal. For example, Customer Satisfaction is a strategic goal. Determine which root-cause risks in your risk register will impact the goal of Customer Satisfaction.

2. Connect Goals and Risks to Business Areas

Next, work with business areas to identify which strategic goals they have an impact on and identify and assess, as we discussed earlier, which of the risks you identified are applicable to their business area.

Process

Strategic Imperative

Activity

Process Process

ActivityActivity Activity

11

3. Make Presentations Relevant and Actionable

The traditional way of presenting risks to the board and senior executives is the “top 10 risks” method. A more valuable approach is showing the top risks above a certain cut-level, or tolerance, for each strategic goal.

By connecting root-cause indicators from business areas to events and goals, you can accomplish two things: first, present information so the board recognizes and understands what business areas contribute to that concern or objective. Second, know the root-cause issues of the goal or objective, which makes it all actionable.

If you follow the best practices we have covered so far in this presentation, you can say, “Here are our goals, here are the biggest risks to these goals, and here are all of the related resources and activities across the organization to mitigate these risks and achieve the desired level of performance.”

This type of presentation is actionable because if you successfully mitigate your top risks, the organization will be able to achieve a measurable milestone. On the other hand, even if you effectively mitigated all top 10 risks, you might not move your organization forward because not enough risks in any one area were mitigated to reach critical mass to move your organization toward its goal.

Process Transactions Transactions are improperly valued

6

Category Factor Indicator Impact Likelihood Assurance Inherent Index Residual Index

68 36 28.8

Likelihood

Impa

ct

1-2 3-4 5-6 7-8 9-10Color indicates Assurance scores where 1 is the most effective

Strategic Goal: Cash Flow Predictability

12

5. Embed ERM in Everyday Activities

At the end of the day, better risk assessments can only be fostered by engagement, and this is the hardest part. The good news is, when it comes to business, people love success and efficiency. So be your own business case! Start to use your own experience and successes to get others to see the value involved.

Risk is in everyone’s job responsibilities. The more integrated ERM is in everyone’s job descriptions, the easier risk assessments will become and the more valuable they will be, but this may take time. Start integrating ERM into everyone’s day-to-day activities by starting with your own area.

By applying an ERM approach to your own functional area, you can prioritize existing activities, manage change, objectify conclusions to enable better issue escalation, and gain a panoramic view of disparate controls and tests. All of this will help you streamline and add value to current activities, enabling you to spend less time on check-the-box compliance or insurance efforts and more time preventing loss events and identifying emerging risks.

13

These 5 Steps in Action

As an example, let’s look at an example most companies face: professional liability insurance applications. Insurance companies require seemingly innocuous assertions about the management of your organization’s operations and governance. Among other activities they seek information on is operational controls, management of content and privacy exposures, computer systems controls, computer system access protection, data back-up procedures, and data encryption procedures.

Did you ever notice that they are actually doing a risk assessment of your organization?

They rely upon your representations and answers for their assessment of your organization’s risk! The problem is you’re making representations on cross-functional issues dependent on others. With a centralized repository of risks and the activities they are connected to, as we discussed earlier, you can identify the root-cause risk and automatically know what controls exist across the enterprise.

IT: Access Rights Policy

Mitigation Activities

Legal: Privacy Policy Review

HR: HIPAA Compliance

Vendor Management:Verification of Non-Contracted

Employees

Outcome

Content management and privacy exposure liability

Potential Root Cause

Category: Process

Risk: Transactions are not clearly supported by technical or legal

pronouncements

Impact: 6 Likelihood: 5 Assurance: 3

Here we have typical professional liability loss that everybody is trying to prevent in 100 different ways. We can choose one potential root cause from the process category for instance, and define the risk further. We also give this risk a score based on impact, likelihood, and assurance to get an idea of its criticality.

And we have a nice list of the activities occurring across the organization to control the risk. All in all, we have a comprehensive and accurate way to answer the questions posed by our insurers.

14

AUDIT MANAGEMENT

BUSINESS CONTINUITY & DR

COMPLIANCE MANAGEMENT

REQUEST A DEMO

INCIDENT MANAGEMENT

ENTERPRISE RISK MANAGEMENT

FINANCIALREPORTING (SOX, MAR)

POLICYMANAGEMENT

VENDOR MANAGEMENT

IT GOVERNANCE& SECURITY

Build Better Risk Assessments with LogicManager

There’s a lot going on in this eBook. But have no fear! The most successful companies with the best ERM programs take it one step at a time.

Many companies, however, find it easier to implement these five steps with the help of ERM software. Request a demonstration to see how LogicManager can help you communicate across departments, collect actionable information, and report on your success. Not ready for a demo but want more information how to improve? Download our eBook, “5 Characteristics of the Best ERM Programs.”

+1 617 530 1210 | logicmanager.com | info@logicmanager.com ©LogicManager, Inc.

GET NEW EBOOK