ComplianceOnline

How to Develop an Annual Risk Assessment Plan


    It would be easy to run corporations if businesses had the assurance that there were no related risks and the only way to enable this is to use the right annual risk assessment template and process.

    Risk is a crucial element of managing a successful business. The traditional perspective of risk is that companies should act to avoid it. Now more than ever, the corporate world is faced with risks that are complex, rampant, and deeply interrelated. Specifically, companies are posed with a huge threat of cyber risk and a wide array of other risks.

    The seminar 'Internal Audit, Fraud Risk Assessment and Risk Management Annual Plan' will equip its participants with a methodology that has been utilized in a robust internal audit department for a Billion-dollar revenue Corporation.

    Why is an Annual Risk Assessment So Important?

    A risk assessment is so imperative because it sheds light on the probability of something going wrong, and the negative consequences if it does occur. It helps identify and manage potential problems that could hinder key business objectives.

    Companies need to come up with risk assessment processes that are actionable, comprehensible, and simple to maintain. A robust annual risk assessment plan will take into consideration the company size, its level of complexity, and its markets. With more and more companies adapting the corporate-wide approaches to risk management, newer models of risk management are coming up.

    Annual Risk Assessment Process

    Annual Risk Assessment Process

    1. Identify Risks
    2. The first step in risk assessment is to identify as many existing and potential risks as possible and use a risk assessment process to prioritize the key risks. Risk managers often use an annual risk management template as an invaluable resource during their risk management process. Here's an example of the sources you can include:

      Risk Sources Examples
      Operational Disruption to supplies and operations, loss of access to essential assets, failures in distribution
      Reputational Damage to market reputation, loss of customer or employee trust
      Project Going beyond budget, not completing projects on time, or experiencing issues with product or service quality.
      Technical Technical failure, or advances in technology
      Human Loss of a key individual, death, sickness or other
      Procedural Failures of internal systems, accountability or controls, or from fraud
      Financial Business failure, fluctuations in stock market, changes in interest rates, or non-availability of funding.
      Natural Weather, natural disasters, or disease
      Political Changes in tax, public opinion, government policy, or foreign influence.
      Structural Dangerous chemicals, poor lighting, falling boxes, or any hazards to staff, products, or technology

      Sources of risks can either be static or dynamic.

      • Static risks are those risks that are typically those that are caused by human behavior and unforeseen natural events. Static risk examples include theft, vandalism, robbery, arson, and burglary, an employee clicking on a link infected by malware, etc.
      • Dynamic risks are those that are prevalent and unique. Examples include cyber risk, risks due to economic or market changes, etc.

      The identification process must be performed and repeated at a business unit level, corporate functional level, and capital projects. During the risk identification stage, a comprehensive list of risks is created, and categorized into categories and sub-categories. This list provides an overview of all the probable risks and some areas for identifying opportunities.

    3. Develop Assessment Criteria
    4. Some kind of a scale or criteria is required to assess risk. Also, a way to score strategic risk that's consistent across the organization is required. Assessment usually starts with the development of a scale to rate risk in terms of likelihood and impact.

      'Likelihood refers to the possibility of a risk potential occurring measured in qualitative values such as low, medium, or high.' 'Probability refers to the percentage of possibilities that foreseen outcomes will occur based on parameters of value.' - Projectmanagers.org

      The management will be able to be more consistent in their interpretation if the scales are highly descriptive. When developing these scales, the management must evaluate any inherent or residual risk. Inherent risk is a risk that a company faces in the absence of any controls; while residual risk is the risk that remains after controls are implemented.

      • Risk criteria are terms of reference against which the significance of a risk to a company's goals and objectives is estimated
      • Risk criteria can be used to prioritize risk reduction to improve a company's performance
      • Risk criteria should guide stakeholders in choosing which risks require further risk reduction.
      • Risk criteria should be based upon laws, standards, policies, and other requirements.
      • Risk criteria should reflect the organization's values, policies, and objectives. They should be based on the company's external and internal context and should consider the views of stakeholders

    5. Assess Risk Interactions
    6. To be able to assess a company's overalls risk, the management must first understand the risks of individual elements and how they interact with each other. Generally, this is done by bucketing associated risks into a broad area and then assigning ownership for that area.

      These risk interactions are typically captured through bow-tie diagrams, risk interaction maps, and correlation matrices.

      Assess Risk Interactions


    7. Prioritize Risks
    8. In its simplest form, the resulting portfolio of risk is organized in the sequence of a hierarchy. Another choice is through the use of a risk map, or a risk heat map - it is a data visualization tool used to communicate specific risks and prioritize those risks. A most widely used way to prioritize risks is by assigning a risk level for each area such as low, medium, high, etc.

      Depicting data with heatmaps helps your colleagues, executives or board members - despite their varying roles and backgrounds easily understand the risk profile.

      Prioritize Risks

    9. Respond to Risks
    10. The final step to the annual risk assessment process is to decide on how to respond to the identified and prioritized risks. There are five key steps to address risks and each of them is uniquely critical in the annual risk assessment. These five steps are outlined in the following process diagram.

      Respond to Risks