An Enterprise Risk Assessment (ERA) is a Systematic and a Continuous Process of Pro-actively Identifying Potential Risks of an Organization and Assessment of their Impact and Likelihood of Potential Future Risk Events that are most Consequential to the Organization’s Ability to execute its Strategy and Achieve its Business Objectives within a Stated Time Horizon.
What is Risk?
As per PMBoK of Project Management Institute (PMI), Risk is defined as “An uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives”.
ISO 9001:2015 defines risk as the effect of uncertainty on an expected result. An effect is a deviation from the expected – Positive or Negative.
From the above Two definitions, it is very clear that a Risks may have a Positive or Negative deviation from the expected. Risk is commonly understood to be negative or adverse effect in the general parlance. However, in risk-based thinking opportunity can also be found – this is sometimes seen as the positive side of risk. While discussing the Enterprise Risk Assessment, we shall discuss here mainly about Negative Risks.
Understanding Risks in an Organization
Risk is about what could happen and what the effect of this happening might be. Risk also considers how likely it is. Risk is assessed as a combination of the probability of occurrence and the severity of that if it occurs. That means, Risk is about how likely (frequently) it happens and what could happen and what the effect of this happening might be (Severity).
The risk-based thinking approach is likely to be much more effective in allowing organisations to become stronger, fitter businesses. The better your organization manages risks, the better prepared you are to face uncertainties. Risk-based thinking requires companies to Evaluate Risk when Establishing Strategies, Taking up New Projects, Investing in New Ventures, Defining Business Processes, Controls and improvements, Adopting New Systems or even Assessing the Existing Businesses.
Enterprise Risk – Categories
Risks in an Organization may emerge from many areas of business: there may be Strategic Risks, Operational Risks, Technological Risks, Market Related Risks, Quality & Process Risks, Financial Risks, Economic Risks, Environmental Risks, Occupational Safety & Health Risks, Information Security / Cyber Risks, Legal Risks, Regulatory or Compliance Risks etc. as shown below with Examples.
Enterprise Risk Assessment Process
Enterprise Risk Assessment Process is an on-going process, having following Steps or Processes.
> Understand the Business, the Operations & the Working Conditions, the Industry & Competition, Stakeholders etc.
> A Risk Profile is an evaluation of an individual’s willingness and ability to take risks. It can also refer to the threats to which an organization is exposed.
> A corporation’s risk profile attempts to determine how a willingness to take on risk (or an aversion to risk) will affect an overall decision-making strategy. Provide a clear profile of major risks that can negatively impact the company’s overall Business.
> Identified Risks are Carefully Analysed to determine both their Likelihood of Occurrence and Potential Impact on Business. This is a quantitative analysis of the types of threats an organization faces with a goal of providing a non-subjective understanding of risk by assigning numerical values to variables representing different types of threats and the danger they pose.
> This is a Formalization of Risk Response Stage, where Formal Action Plans & Risk Measures for Risks falling outside the Acceptable Tolerance Levels are Finalised. Once Potential Risks are Finalized & Analysed its Impact, Optimal Risk Response Strategies are Formulated with Consensus of all the Concerned Team Members.
> Also Risk Champions / Owners are Identified and Assigned the Responsibility to them. Initiations are taken to Validate the Action Plans, Formalize Process of Audit & Business Continuity Planning.
> Once the Risk Response Strategy is in Finalised, it must be Communicated to all the Concerned. Relevant information and data need to be constantly monitored and communicated across all departmental levels
> Measure, monitor, and communicate the effectiveness of the risk response strategies by utilizing any key risk indicators deemed effective by that organization.
> Risks are Dynamic in Nature, needs to Monitor and continuously update the Real Risks. Enterprise Risk Assessment is a Continuous; on-going & evolving process of Pro-actively and Pragmatically Document Risk Management Policies & Processes.
Risk Assessment – Concluding Comments:
Enterprise Risk Assessment Tool is used by organizations to Manage Risks Pro-actively and Seize Opportunities related to the achievement of their Objectives. Risk Assessment outcomes help Organizations to Establish Strategic Priorities and Activities to Tackle Key Risks. Increasing Awareness and Imbibing Risk Culture with Involvement of Top Management & Cross Functional Teams shall enhance the Organizations ability to Understand, Identify, and Develop Action Plans in Advance to Pro-Actively Manage Risks.
Disclaimer : The views and opinions; thoughts and assumptions; analysis and conclusions expressed in this article are those of the authors and do not necessarily reflect any legal standing.
Author : SN Panigrahi, GST & Foreign Trade & Project Consultant, Practitioner, International Corporate Trainer & Author. Author can be Reached @ [email protected]