Author: Doug Nickerson, CPA, CGFM, CFE, CIA, CCA | Business Assurance & Advisory Services Partner
Risk is a certainty in any organization, however, how an organization deals with it can have a major impact on the achievement of their key mission and goals. Despite this, little is formally done to evaluate and manage risk.
Risk is the threat that an event or action will adversely affect an organization’s ability to achieve its objectives and to successfully execute its strategies.
Risk management is defined as a logical and systematic method of identifying, assessing and evaluating, prioritizing, controlling, and monitoring and communicating risks associated with any activity, function or process in a way that will enable an organization to minimize losses and maximize opportunities. Risk management requires more than simply adopting policy. It requires ingraining risk management into every aspect of the organization’s operations.
Although there are slightly different versions to the risk management cycle, however, in general it can be summarized as follows:
- Identify the potential risk.
- Assess the impact of the risk on the organization.
- Control the risk by implementing mitigating controls.
- Continuously monitor the risk and any changes noted in the original assessment.
- Document and publicize lessons learned and actions taken.
As simple as the risk management cycle noted above may seem, there are a number of key practice areas that those responsible for risk management are overlooking. Including these areas in your risk management process can help enhance the organizations ability to achieve its objectives, successfully execute its strategies, and increase the confidence of your constituents.
Ask the right questions – ask questions regarding what the impact or benefit of addressing a certain risk factor would be to your constituents.
Creating the right culture for risk management – set expectations of those responsible for risk management, have clear communications at all levels, and get proper buy-in from senior management responsible for oversight.
Focus on the organization’s objectives – the primary purpose should be to contribute to the success and future of the organization.
Realize there are limitations to risk assessments – the assessments and results are only as good as the efforts put into them; making this a significant priority in your organization will help with its success.
Ensure rules and policies can be enforced – having unrealistic rules or policies, or not having senior management buy-in, or not demonstrating that violations will be met with consequences will surely derail these efforts.
Risk management activities should not be done only at a point in time during the year; but continuously, because as the organization changes, so do their risks.
Additional questions on this topic? Contact us.