Risk management can impact project budget, schedule, and/or quality. Business Blackout, Lloyd’s of London and the University of Cambridge’s Centre for Risk Studies, recently reported that U.S. power grid attack can result in approximately $70 billion in insurance claims and economic losses up as much as a trillion dollars. Further, there are many different types of risk companies are trying to address including strategic, operational, compliance, financial, market, credit, and supply chain to name a few. Strategic risk accounts for approximately 60% of the risk universe whereas operational and financial account for approximately 30% and 10%, respectively.
Even though many companies have been conducting risk assessment studies for many years, most companies find it challenging to create a complete enterprise risk assessment steps and realize its full value. The chart below describes a basic process for risk assessment.
In the article, Enterprise Risk Management Beyond Theory, the study conducted interviews of five companies. Most of the companies have suggested the following basic steps that are necessary for a robust risk assessment approach:
- Buy-in from the top: All the companies in the article agree that the leadership must believe in the risk assessment approach in order for everyone to cooperate.
- Keep it fresh: If the risk factors are not refreshed often, then breakdown may occur without having the key indicators triggering the events. The cyber attacks, which were considered unlikely a few years ago, are now considered an imminent threat to most large companies.
- Condense the information: A complicated checklist will confuse people and even oversee the basic risks. There are various ways to report information including showing a likelihood of an event (likely, unlikely, and certain), ranking of the likelihood of an event (1-5), or ‘heat map’.
- Learn from others: It is important to create processes that fit the organization’s need, but in order to gain a competitive advantage, the companies should also review other companies risk assessments.
My last employer used some of these approaches. The company performed complete risk assessment every two-three years and the risk were categorized by business area or functions. A formal “Risk Assessment Committee” reported directly to the President, which partly contributed to attention it received. All aspects of the business were reviewed and the risks were categories 1-5 (5 being a likely scenario). Anything over 3 were discussed each year and addressed over the following two years. The checklist was kept transparent to all parties involved and certain part of the checklist was made available to the whole organization.
Certain risks such as business closure risks were discussed more frequently. “Risk Assessment Checklist” was completed during and reviewed after each event (including weather-related events), which impacted a closure of the business.
What does your company or your competitors are doing to assess risk? How do the factors mentioned above impact your organization?
Illustration of “Heat Map”