Within any enterprise risk management framework it is essential that your risks, once properly identified are assessed in a coherent and consistent manner. Here we consider the 3 key areas of the risk assessment process that can help to improve the quality and reliability of your risk assessments.
1. What are we actually assessing?
When assessing a risk, what is actually being assessed must be clearly and consistently defined to the assessor. For areas where risk is difficult to quantify (for example ethical practices), the need to specify and detail what is being assessed and measured becomes even more marked.
What does it mean to say you are assessing conduct risk? Are you assessing the general behavior of the staff members within an organization or are you referring to specific legislation around behavior and disclosure? Only once the risk is clearly defined can you start to decide how to assess it properly.
2. Clear and common scoring schema
Whether quantitative or qualitative, some scoring criteria will be applied to the risk as part of the assessment. This can range from very specific numerical values (50% probability of loss up to £10,000) through to more subjective analyses (low likelihood of a major loss of reputation through improper conduct).
What is important however, is to ensure that any scoring scheme used to assess a particular risk is consistently defined and applied with clear guidance on providing values.
It is from this consistent application of scoring schema that a true view of the risk portfolio can be obtained and used to mitigate risk going forward; for both the organization as a whole and its individual business units.
3. Following up on the assessment
After every risk assessment, a series of actions should be defined, assigned and scheduled to ensure that issues identified within the assessment are dealt with in a prompt and correct manner.
Many organizations perform rigorous risk identification and assessment only to fail to define and action the improvements necessary to ensure its risk portfolio is correctly managed. Prompt action taken after an assessment can not only improve the overall mitigation of the risk in question, but also helps define clear reasoning and context for any changes in organisational behaviour that might be met with resistance (for example, a change in working patterns or reporting).
By ensuring that the above 3 steps are properly considered and implemented, organizations can ensure that their risk assessments are not only measuring the right areas but also the necessary changes are being implemented.