Making Your Risk Assessments Count: Consider the Distinguishing Characteristics of Risk
Traditional risk assessment approaches don’t often address the unique risk characteristics most companies face. While using a common analytical framework to evaluate risks with different characteristics may make the assessment process easier to execute, it also may not be as effective as approaches that could provide more insight into how to respond to assessed risks.
Risks have well-known similarities; that is, all risks present a potential impact on organizations, and management does not know if or when they will transpire. There are also important and distinguishing differences among major risk categories that should be considered in a risk assessment. Risks can be segregated into the following categories:
- Strategic: The risk that the business model is not effectively aligned with the strategy or that one or more future events may invalidate fundamental assumptions underlying the strategy. These risks relate primarily to the external environment (e.g., competitor’s actions, changing customer wants, technological innovation and the actions of regulators).
- Operational: The risk of one or more future events impairing the effectiveness or viability of the business model to create value for customers and achieving expected financial results. These risks relate to the various business activities along with the value chain within which the organization’s business model is applied (e.g., the supply chain, customer fulfillment processes, human resources, information technology, key channels, key customers and end users).
- Financial: The risk that cash flows and financial risks are not managed cost-effectively to (a) maximize cash availability and preserve liquidity, (b) reduce uncertainty of currency, interest rate, credit, counterparty and other financial risks, or (c) move cash funds quickly without losing its value all at a minimal cost to where they are needed most.
- Compliance: The risk of noncompliance with laws, regulations, internal policies and/or contractual arrangements resulting in penalties, fines, increased costs, lost revenue and/or reputation loss. Financial reporting is a form of compliance risk for public companies.
There are different ways to distinguish these four categories of risk. First, there is susceptibility to measurement. The above risk categories are not subject to the same level of precision from a quantification standpoint. Strategic risks, as defined above, arise primarily from invalid assumptions and a lack of alignment in execution. Given their nature, the analytical framework applied to these risks must be more qualitative than other risks.
For example, interest rate and other price risks are easier to size in terms of their impact on the business by using scenario analysis, stress tests and value-at-risk frameworks that consider changes in the economy and market volatility. On the other hand, strategic risks arising from invalid assumptions are more about obtaining enough knowledge of expected economic trends, competitors, customers, suppliers, regulators and other external environmental factors to evaluate whether the critical assumptions underlying the strategy remain valid.
Second, there is time horizon, the period over which management assesses the level of risk and the alternatives for managing risk. The longer the assessment horizon, the more likely a stated scenario or event can occur. Because they are a function of the board’s and executive management’s long-term view of the market and the expected pace of change, strategic risks have a longer time horizon than other risks. By contrast, operational risks typically have a shorter horizon, as they are often evaluated in the context of the other business planning cycle. For instance, one company’s board requested that management conduct two risk assessments; one for one year to mirror the horizon for the annual budget, and the other for three years, to mirror the horizon for the strategic plan. The time horizon can be a significant factor when determining the currency of the organization's risk assessment in a rapidly changing environment. The time horizon also can have an impact on management’s risk response options. For example, some issues, such as a capacity shortage at a manufacturing company, can be quite severe over the short term. However, most risks, including capacity, are less of an issue over the long term because management has more flexibility to make adjustments.
Third, variability in outcomes suggests that exposure to risk can result in either upside or downside consequences. Compensated risks are two-sided and present potential for upside (i.e., if we were to list all foreseeable future outcomes arising from the risk, including an estimate of the net cash flows relating to each possible outcome discounted to their present values, we would have a range of outcomes with both net positive and net negative cash flow results, giving rise to performance viability). Because an effective strategy is about pursuing the best bets in the context of the enterprise’s risk/reward balance, compensated risks are often inseparable from the execution of the enterprise’s strategy. The risks are compensated because the potential for upside is sufficient to warrant accepting the downside exposure.
The risks associated with initiating operations in the new markets, introducing new products or undertaking large research and development projects are common examples of these risks. By contrast, uncompensated risks are one-sided because they offer the potential for downside with little or no upside potential (i.e., every foreseeable future outcome results in net cash outflows, creating a loss exposure). Uncompensated risks would, for example, include environmental, health and safety risks where there is very little, if any, upside over the long term to cutting corners and taking shortcuts and accumulating and creating unacceptable risks.
Finally, there is nature of response. A decision to accept a risk can lead to a conclusion that the risk should be retained, reduced or exploited. A decision to reject a risk can lead to a conclusion to avoid it altogether or transfer it to an independent, financially capable third-party. There is a “decision tree” of sorts around evaluating how to respond to risks; this decision tree is navigated differently depending on the nature of the risk. For example, compliance risks are often managed through policies and procedures designed to reduce the risks to an acceptable level. Strategic risks, however, may arise from uncertainties requiring ongoing monitoring of the environment to ensure that strategic assumptions remain valid over time. Operational risks may require better alignment of processes along the value chain or the development of rapid response plans in the event of a critical component of the value chains, such as a key supplier is lost.
Once we recognize that the four categories of risk – strategic, operational, financial and compliance – vary according to their distinguishing characteristics, it becomes clearer why the analytical frameworks used to assess each category should be designed to consider those unique characteristics.
Learn more about risk assessment topics by exploring this related publication on KnowledgeLeader: Making Your Risk Assessments Count: An Operational and a Compliance Perspective.
These tools on KnowledgeLeader may also interest you:
Enterprise Risk Management Key Performance Indicators (KPIs)
Risk Management Oversight Committee Charter
Enterprise Risk Assessment Process Questionnaire