Developing risk maps, heat maps and risk rankings based on subjective assessments of the severity of impact of potential future events and their likelihood of occurrence is common practice. These approaches provide an overall picture of the risks, seem simple and understandable to most people, are often the result of a systematic process, and provide a rough profile of the organization’s risks.
Common attributes of the risk map include governing objectives based on a business strategy or plan that provides a context for the assessment, a common language that provides a context for understanding the universe of relevant risks, and predetermined criteria for conducting an assessment.
While everyone agrees that an effective risk assessment should never end with management holding a list of risks, it is not unusual for traditional risk assessments to do just that, leaving decision makers with little insight as to what to do next. So, why is it challenging for companies to move beyond a risk assessment to an actionable plan?
Protiviti offers four reasons. First, the risk assessment process can allow individual biases to affect the assessment, foster “group think” and preempt outside-the-box thinking. Second, research has shown that scales derived from qualitative descriptions of severity and likelihood are understood and used differently by different people. Assessments by unknowledgeable participants are often “middle of the road” on these scales and can skew the overall results. Intersections on a risk map are mean averages of sometimes widely dispersed views and are not necessarily a consensus of the participating evaluators.
Third, subjective assessments are often influenced by experience. This is a dangerous shortcoming of the process because one thing we continue to learn over the years is that the past is not always a reliable indicator of what to expect in the future. For example, the financial crisis taught all of us that what we don’t know is more important than what we do know. The integrity of the risk assessment process can be impaired by the overconfidence stemming from past successes and an overly simplified view of the future.
Fourth, the process offers little insight as to what to do about exposures to extreme events. The process sometimes leads to a conclusion to deemphasize the so-called “high-impact, low-likelihood” risks because of the low probabilities involved and a false sense of security arising from the lack of historical precedence. These events – whether or not they occur unexpectedly – often cause the most damage. Therefore, the process needs to take into account such considerations as the velocity or speed to impact, the persistence of the impact over time and the organization’s response readiness.
There may be a place for traditional risk assessment approaches when creating awareness and obtaining a quick overview of risk, particularly when a company is just starting down the path of ERM. However, traditional approaches lose their value over time and become more of a backward-looking audit tool than a forward-looking exercise as the company’s risk management evolves. Accordingly, more focused assessment mechanisms may be necessary to provide insight that management needs. If very little happens as a result of an organization’s risk assessment process, it is a clear sign that alternative approaches should be considered.
You can read more on this topic in Making Your Risk Assessments Count and by exploring these tools on KnowledgeLeader:
Enterprise Risk Assessment Process Questionnaire
Enterprise Risk Management Key Performance Indicators (KPIs)
Risk Assessment Results Audit Committee Report