What is Assessment of Risk?
Assessment of a risk refers to the determination of the risk followed by quantitative and qualitative aspects that result in a recognised threat. Risk assessment is a stage where an organisation identifies and evaluates each risk. It assesses its impact on the organisation and further sets guidelines in terms of risk reducing recommendations.
Table of Content
- 1 What is Assessment of Risk?
- 2 Categories of Assessment of Risk
- 3 Identifying Risks
- 4 Risk Analysis
- 5 External Business Ecosystem
- 6 Internal Environment
- 7 Enterprise Risk Management by Grant Thornton
Risk assessment is the first step towards managing the risk. The outcome of risk assessment is to determine the extent of the potential threat to the organisation due to the risk. It is the correct assessment of the potential threats of these risks that decides the disadvantage or advantage of a particular vulnerability.
Categories of Assessment of Risk
Apart from categorising risks as pure and speculative, we can also categorise them as external and internal risks as follows:
These are risks that originate outside the organisation and include economic trends, government regulation, competition in market and change in consumer taste. They can be further divided into two categories: regulatory risks and environmental risks.
Regulatory risks pertain to laws, regulations, policies and guidance governing organisations. Organisations should observe the rules enforced by the government for regulating their operations. Environmental risks occur due to changes in the environment that have a direct bearing on the working of the organisation.
These risks are specific to organisations, such as employee performance, procedural failure and faulty or insufficient infrastructure. These risks exist within the organisation and normally due to weakness in policies, procedures, systems and personnel. Organisations should take proper steps to ensure minimal disruptions to their operations due to these risks.
The first step in risk assessment process is to identify the risk categories. These risk categories can be listed and explained as follows:
Technical or IT Risks
These risks may result due to the malfunctioning of applications or programmes including computers or perimeter security devices (for example, a computer linked to the Internet without antivirus software could be at risk).
Project Management Risks
These risks arise due to the inability of the project manager to complete and deliver a project, causing the organisation to delay the release of a product in the market.
These risks relate to the infrastructure of an organisation and how well it is able to cope with the business operations as well as protect the organisational assets (for example, risk may arise if the organisation does not have a clear distribution of duties between its production and development environments).
These risks cover events having financial implications on the organisation (for example, investing the company’s cash reserves in a highly speculative investment scheme).
These risks might occur if the organisation fails to comply with the mandated laws and regulations of business operations, resulting in fines or legal sanctions.
Business risks are omnipresent and come in all magnitudes. It is the responsibility of the management to adopt processes and policies that can effectively assess the risk and prepare the organisation to be adaptable to or uniquely designed to cope with specific vulnerabilities.
An organisation should group risks in order to adopt suitable analytic processes. Capital allocation by the organisation should be based on risks in conjunction with their cost/benefit analyses. Every business, before assessing a business risk, first tries to identify the likely occurrence of that risk.
Organisations rely on reasonable approximations based on past experiences in the absence of any specific method for identification or assessment of risk. Every risk assessment should involve assessment of both internal and external risk factors of the organisation.
Risk analysis is the scrutiny of the impact of risks on the achievement of an organisation’s objectives. It also incorporates and determines processes to manage risks. All risks are not equal by their occurrence factors as well as their impact.
Risks once identified need to undergo probability and significance assessment before the management decides how to deal with them. Sometimes, control decisions are made after risk analysis. Risk analysis is an ongoing process, and new internal and external threats constantly develop presenting new hazards to the organisation.
Change itself is a risk. Management must adapt its policies and procedures in order to manage the changing risks and keep their threats at a comfortable level. Organisations adopt different approaches for the analysis of internal and external risks impacting their organisational working.
External risk analysis is data-heavy, and since these risks are outside the control of the organisation, a more systemic approach for analysis is required. Various quantitative techniques like benchmarking, probabilistic modelling, etc., can easily be applied to assess external risks in organisations.
Internal risk analyses are far more specific and controllable processes. The operational risk assessment method is adopted by organisations to manage risks due to inadequate business decisions. They include compliance risks, internal audit risks, etc. Compliance risk assessment is very important in tightly controlled industries like banking or agriculture. Internal audit risks must be assessed, particularly for publicly traded companies.
External Business Ecosystem
In the early 1990s, James F. Moore conceptualised the first definition of business ecosystem in his widely accepted book titled The Death of Competition: Leadership and Strategy in the Age of Business Ecosystems. The concept first appeared in Moore’s May/June 1993 Harvard Business Review article, titled Predators and Prey: A New Ecology of Competition, and won the McKinsey Award for Article of the Year. The following is an excerpt from the same:
An economic community supported by a foundation of interacting organisations and individuals—the organisms of the business world. The economic community produces goods and services of value to customers, who are themselves members of the ecosystem. The member organisms also include suppliers, lead producers, competitors, and other stakeholders.
Over time, they co-evolve their capabilities and roles, and tend to align themselves with the directions set by one or more central companies. Those companies holding leadership roles may change over time, but the function of ecosystem leader is valued by the community because it enables members to move toward shared visions to align their investments and to find mutually supportive roles.
Moore used several ecological metaphors, suggesting that the firm is embedded in a (business) environment and needs to become proactive in developing mutually beneficial (‘symbiotic’) relationships with customers, suppliers and even competitors.
J. Bradford DeLong, a professor of economics at the University of California, Berkeley, defined business ecosystems as the pattern of launching new technologies that has emerged from Silicon Valley. He further defines business ecology as a more productive set of processes for developing and commercialising new technologies characterised by rapid prototyping, short product-development cycles, early test marketing, options-based compensation, venture funding, early corporate independence.
According to Peltoniemi and Vuori (2005), a dynamic structure which consists of an interconnected population of organisations. Business ecosystem develops through self-organisation, emergence and co-evolution, which help it to acquire adaptability. In a business ecosystem, there is both competition and cooperation present simultaneously.
A business ecosystem pertains to a changing environment. It sets a connection between a market economy and an individual organisation. A conscious decision by an organisation to innovate and gain commercial success makes a business ecosystem. A business ecosystem has a large number of interconnected participants and different kinds of interactions. These interactions in the ecosystem are described as competitive or cooperative.
A business ecosystem is located in an environment that has varied political, cultural, social and legal aspects. This complex environment has an impact on the business ecosystem, but the business ecosystem may also have an impact on the environment. The term business ecosystem refers to the environment containing a business organisation but with some more provocative implications.
A business ecosystem has been used to refer to a specific type of environment where clusters of companies that locate their operations in close geographic proximity to each other with a defined focus on a specific type of business or technology. Within the broader focus, these companies may be quite diverse, but they are brought together by the complementary nature of their activities and, in particular, by the perceived value in accessing shared knowledge.
A variety of specialised infrastructure service businesses, including finance, legal, executive recruiting, accounting, consulting, and marketing and public relations firms, help to provide some of the networks that link the practitioners in these diverse businesses. In addition, other institutions like universities and government agencies may also serve both as magnets and as network nodes within the local business ecosystem (Hagel III, 2005).
An organisation’s internal environment includes the organisation’s elements such as current employees, management and, especially, corporate culture that defines employee behaviour. Although some elements affect an organisation as a whole, others affect only managers.
These factors impact the approach and success of various operations within the organisation. The key to the success of any business depends upon how well the organisation is able to manage the strengths of its internal operations and recognise potential opportunities and threats outside of these operations.
The internal environment includes all those factors that influence the business of the organisation and which are present within the business itself. These factors are usually under the control of the organisation.
Some of the components of an internal business environment include the following:
- Objectives of business
- Policies of business
- Production capacity
- Production methods
- Management information system
- Participation in management
- Composition of board of directors
- Managerial attitude
- Organisational structure
- Features of human resource
Organisations that focus on internal business environment do so because they feel that managing the strengths of internal operations is the key to their success. The internal factors basically include the inner strengths and weaknesses. Internal factors can affect how an organisation meets its objectives.
The following resources are essential for the success of an organisation:
- Financial resources like funding, investment opportunities and sources of income
- Physical resources like the organisation’s location, equipment and facilities
- Human resources like employees, target audiences and volunteers
- Access to natural resources, patents, copyrights and trademarks
- Current processes like employee programmes, software systems and departmental hierarchies
Enterprise Risk Management by Grant Thornton
A leading financial management company of income-oriented portfolios with a focus on global real estate securities, preferred stocks, utilities, listed infrastructure and large cap value equities was seeking to implement an internal audit and risk management function.
However, the management team was not sure about where and how to start and required an external partner to enable it to set up these functions efficiently and effectively.
Strategy and Approach
Grant Thornton Limited Liability Partnership (LLP) professionals worked with the senior management team of the company to identify the company’s different business segments and general areas of risk. These areas of risk comprised financial risk, operational risk, technology risk and compliance risk.
Enterprise risk management experts from Grant Thornton used proprietary risk assessment software that was mainly intended for asset managers. The Grant Thornton team members collected input data from management interviews, financial analysis and technology research.
Enterprise risk management experts from Grant Thornton used a risk matrix approach to conduct a review of all significant risks. After interviewing the senior management, and compliance, technology and other departmental supervisors, enterprise risk management experts from Grant Thornton used interview input and raw data from financial statements and different IT reviews to develop a ‘scorecard’ of business risk areas.
The following were the results of the above approach:
- An entire inventory of major risks relating to technology, operations and regulatory compliance was identified.
- A common risk management platform was established not only among the senior management but also throughout the company.
- A three-year internal audit plan was formulated, which enabled the company to address serious risk issues and ensure that effective risk mitigation controls were in place.
- The scorecard, which was shared with both the senior management of the company and the Audit Committee, facilitated the establishing of consensus across the entire company on major risk concerns and devising of blueprint for the new internal audit function and its audit plan.
Impact on the Company’s Business
The following points depict the impact of the various approaches taken by Grant Thornton on the company’s business:
- The senior management of the company is able to focus on common risks.
- The new internal audit function that was launched has clear and well-defined objectives and priorities resulting in efficient use of the company’s time and resources.
- The company’s overall risk profile is rapidly reduced as the enterprise risk management experts from Grant Thornton identify and swiftly address high-risk areas.
- The company is well-prepared to address any marketplace variability, regulatory or compliance issues.
- The company’s risk profile can be easily and efficiently updated to highlight any changing financial condition.
Currently, the enterprise risk management experts from Grant Thornton continue as the company’s outsourced internal audit provider and regularly update the company’s enterprise risk management policies and documents.