Analogies are always useful when teaching. In discussions of risk identification and assessment, the understanding deepens when it is described as the nuclear reactor that continuously empowers decision makers in a dynamic environment.
What are the key elements and benefits of risk identification and assessment? Why is it vital to enterprise risk management (ERM), and what are the best practices in this area?
Risk Identification and Assessment is the Backbone of ERM
A risk is defined as any potential threat, loss or opportunity to an organization in the near-, mid- or long-term.
Brenda Boultwood
Risk identification relies on a common risk taxonomy that acknowledges the risks relevant to a data object. It serves as the foundational first phase of the broader risk assessment process.
Once risks have been identified, they are then subjected to rigorous analysis and evaluation to understand thoroughly their nature, underlying causes and potential consequences – and to determine their probability of occurrence and overall significance. This assessment process provides the necessary comprehension of the identified risks, enabling organizations to determine how they should be managed and prioritized effectively.
Risk assessment is the process of assigning objective probabilities and consequences to identified risks. Probability and rating scales allow consistent quantification of risk; they can be supplemented by a consequence scale based on qualitative and quantitative factors. A risk may have different probabilities and consequences depending on the time horizon and the specific data object being assessed.
Let’s now consider seven current best practices that exist for rating risk probability and consequences.
1. Develop standard buckets for risk probability and consequence ratings. Rating scales are simple: they can, for example, be comprised of four or more buckets covering both probabilities and consequences of risks, arranged in a risk assessment matrix. Alternatively, they can be driven by qualitative categories, divided by high, medium and low risks.
As far as assigning the objective probabilities and consequences, the most common industry practices are historical data analysis and expert judgment. Figure 1 (below) shows that risk identification and assessment happen after the scope of ERM has been defined through a set of agreed risk objects. Under this approach, experts agree on an objective and observed probability for each risk, and a common risk taxonomy is established to standardize the language of ERM.
Figure 1: The ERM Risk Identification and Assessment Process
Policy standards for risk identification and assessment are critical. An organization should publish consistent instructions outlining a practical approach for executing risk identification and assessment. For each risk object in ERM, the risk policy should provide instructions for the application of standards for assigning risk probabilities and consequence ratings.
2. Use of expert judgments and historical data analysis. A risk policy should outline how objective risk probabilities and consequences are determined based on a blend of expert judgment and historical data analysis.
Leveraging the best practice of risk matrices, these probabilities and consequences should be used to assign risk scores to identified risks. These risk scores should be standardized across services and scalable for different command levels.
This process must remain consistent, all the way from the highest echelons of the strategic level to the lowest rungs of tactical management. Risk assessments should also be completed for different time frames for each risk, visually displaying changes in risks over time.
3. Establish an adaptive frequency for risk assessment. In the initial stages of ERM implementation, risk assessments will typically be performed at standard intervals, such as semi-annually or annually. As the risk assessment process matures, it should be “triggered” based on events, such as a change in organization leadership, the completion of a risk treatment plan, or an unexpected event.
4. Seek different views on the most effective risk assessment techniques. When assessing risk, it pays to get a variety of perspectives. Top-down risk assessment can be conducted through targeted surveys and interviews with members of senior management and the board of directors. This allows the exploration of internal and external threats to a firm’s mission and readiness, driven by the concerns of senior leaders.
A bottom-up approach, on the other hand, typically starts in a workshop driven by members of a specific business unit, with the goal of facilitating complete identification and assessment of the risks. Bottom-up risk assessment, delegated to the lowest levels in a chain of command, allows for a grassroots expression of key risk issues. End-to-end process mapping, scenario analysis and competitor benchmarking can be critical inputs to the bottom-up risk assessment.
Given that different levels of understanding of a business and its risk exist throughout an organization, it’s not uncommon to find a different understanding of the risks across business units. This highlights the need for further education both about the business and its risks.
Figure 2: Top-down and Bottom-up Risk Assessment
5. Consistency can be established through risk visualization. Risk heatmaps, risk intensity comparisons, risk bowties, risk trend identification and risk complexity comparisons are among the visualization tools that can be used to build consistent risk assessment. All depend on a common risk identification and assessment approach.
6. Risk aggregation requires a standard risk taxonomy and rating scales. Critical risks must be assessed for each risk object and rated with common probability and consequence scales.
Unbiased risk aggregation depends on a standard approach to risk identification and assessment. The resulting data helps manage risk concentrations, as well as risks that may appear minor in any single risk assessment but could aggregate into a larger problem that may otherwise be overlooked by management and the board.
7. Remember that risk Identification and assessment is a continuous process. The best business managers go to bed each night thinking of what can go wrong. ERM must be continuous, because the environment is dynamic and potential threats must be identified and acted upon early to ensure awareness and integration into decision-making processes. This is the foundation of continuous learning and improvement, which sets the stage for adaptation and winning in a competitive environment.
Value Proposition of a Standard Approach
The overall value of risk identification and assessment is in its consistent application across an organization. This allows for risk comparisons and trend analysis over time.
Brendan Schroeder
A standard risk rating approach ensures apple-to-apple comparisons of risks at each point in time and across time. If a risk reassessment reveals a risk whose rating shifts dramatically across time periods, it would follow that this risk has a high velocity and requires frequent reassessment.
Similarly, a standard approach to risk identification and assessment has great value. Specifically, it allows risk management to be scalable and adds immense utility after both top-down and bottom-up risk assessments, creating a common understanding and prioritization of the issues facing an organization. The ability for risk assessment to be “triggered” means that ERM is inherently dynamic and able to respond to novel threats.
Across risk assessments, the common risk taxonomy and risk rating scales allow risk comparisons, trend analysis, aggregation and meaningful understanding of risk trade-offs over time.
Practical Analysis
There is further analysis required to improve risk identification and assessment approaches. The first is determining potential systemic biases in risk assessment across risk objects, such as business process, region, product or organizational unit.
The second is developing an adaptive mathematical model that is concerned with the accuracy of the determination of probabilities and consequences. This model should use a dynamic combination of different methods to determine, ex post, the probabilities and consequences based on the context surrounding different risks.
The end goal of this mathematical model is to create a system that “learns” methods that result in more accurate probabilities and consequences. It should leverage the more accurate methods in the aggregation of probability and consequence to prioritize a risk more accurately.
Further research into models for risk velocity – i.e., how quickly a risk can occur, or change in probability or consequence – would likely provide a competitive edge in risk assessment. To ensure that this process is rigorous, research teams should require access to historical data sets and past risk assessments, as well as information on how risk assessments were completed.
Parting Thoughts
Standard risk probability and consequence rating scales support risk identification and assessment across time frames. The goal is to improve organizational decision-making over time, triggering risk reassessment when necessary and allowing for the visualization of trade-offs in risks across time frames. This analysis also determines where a specific risk falls within the organization's defined risk appetite.
Risk assessment is a pivotal step, because it provides the necessary understanding for making informed decisions about how each risk should be treated – including whether to enhance controls through mitigation strategies or to accept them within established risk tolerance parameters.
Ultimately, the risk identification and assessment process establishes the foundational understanding of a dynamic risk landscape, enabling effective prioritization of risks and optimal allocation of resources for risk treatments.
Brenda Boultwood is the Distinguished Visiting Professor, Admiral Crowe Chair, in the Economics Department at the United States Naval Academy. The views expressed in this article are her own and should not be attributed to the United States Naval Academy, the U.S. Navy or the U.S. Department of Defense.
She is the former Director of the Office of Risk Management at the International Monetary Fund. She has previously served as a board member at both the Committee of Chief Risk Officers (CCRO) and GARP, and is also the former senior vice president and chief risk officer at Constellation Energy. She held a variety of business, risk management, and compliance roles at JPMorgan Chase and Bank One.
Brendan Schroeder is a rising second-class midshipman from St. Louis, Missouri. He is a mathematics major and a member of the USNA Combat Arms Team.
Topics: Enterprise
