Organizations are constantly faced with evaluating risks when making decisions. More often than not, this evaluation is informally completed by one individual. Inherently, this could lead to a gap when evaluating risk in your organization. Today’s business environment is unpredictable and competition is fierce. Properly identifying, evaluating, and managing risks across your organization are key to its long-term success.
In its 2004 Enterprise Risk Management Integrated Framework (COSO ERM Framework), the Committee of Sponsoring Organizations of the Treadway Commission (COSO) defined risk as the possibility that an event will occur and adversely affect the achievement of an objective. In February 2015, COSO announced a project to review and update the COSO ERM Framework, so be on the lookout for updates.
Companies can use the COSO ERM Framework to assist in establishing an enterprise risk management process with the board of directors, management, and other personnel.
Step 1 – Identify your risks
The first step to evaluating risks involves the proper identification of those risks. To begin the identification process, consider your objectives in connection with various risk factors such as reputation, legal, technology, people, and fraud. As these risks are identified, you should also define your risk tolerance. Involving individuals throughout your organization that are responsible for the achievement of these objectives is an important aspect of this step and should not be ignored.
Step 2 – Rank your identified risks
Next, rate the identified risks according to the likelihood of their occurrence and their potential impact on your organization’s objectives. This step is important because it enables you to compare the risks you have identified.
It is common to want to attack low hanging fruit; i.e., to misallocate resources to the easiest fixes. However, the goal should be to identify those risks that, when mitigated, will have the biggest impact on your organization. This will lead to a more efficient and effective use of resources.
It is also essential to not look at each risk in a vacuum. Risks are often interrelated, and exposure to one risk could decrease or increase another risk.
Step 3 – Create a plan
The final step of the process is to develop a plan to respond to risks, reevaluate, and monitor. It is important to establish timelines and milestones, and assign the plans to individuals with the authority to effect change.
Organizations with a formal, practical, consistent, and repeatable approach to evaluating risk will be better positioned to capitalize on future opportunities.
Craig B. Evans can be reached at Email or 215.441.4600.
You may also like: