Five methods to Identify Risk

Over the next few weeks Tony and John will be blogging about how to identify risks, the importance of taking a strategic company-wide view of risks, as well as a department or process level view. How to manage those risks using operational risk software, what controls can be put in place, and challenging risk scores.

This exert is taken from their book Mastering Risk Management…

First a note about the importance of strategic risk assessments. These identify the risks to the firm from meeting its business objectives. It is surprising that many firms ignore strategic risk assessments and concentrate solely on risk assessments by department or process. While these are very useful, they are not focused on the strategic objectives of the firm.  Given the purpose of a strategic risk assessment, the risks identified are likely to be business-type risks such as the failure of an outsourcer or the loss of a member of the executive team. These will naturally have a more significant impact on the firm than the risks identified at a departmental level which are likely to be, for example, the failure of software used by the department or the loss of a supervisor within the department. 

As well as wishing to achieve its strategic objectives, a firm should be looking to identify what it has to mitigate the risks that it has identified. These are the controls over the risks. The controls will also be assessed as well as identified.  

Risk Identification   

Identifying risks (and their accompanying mitigating controls) should be a part of the firm’s day-to-day business life and processes. Risk identification is a normal and natural part of being in business and should not be regarded as something that is done only once every six months or whenever a full risk assessment is performed.

1. Using the firm’s objectives to identify risks

The use of a firm’s objectives or goals to identify its strategic risks is the most natural place to start. The simple problem of “What will prevent me from meeting my objectives?” is one of the questions that the management asks itself many times during the year. By listing those things that will derail the objectives and assessing how good the firm is at managing the risks, senior management is simply performing one of the most important parts of its role. 

As well as using the firm’s objectives, there are a number of other ways in which risks can be identified. 

2. Using a risk library to identify risks

A risk library lists all the risks identified by a firm by risk. While it is useful to have a full list of risks identified by the firm, it can be constraining in a risk and control self-assessment, since participants tend to focus on the library rather than on what might prevent the firm from achieving its strategic objectives or goals. Given that one of the purposes of a risk and control self-assessment is to identify the risks, the existence of a risk library begs the question as to how the risks in the library were identified and to what the risks relate. If there is a risk library, put it to one side and start the risk and control self-assessment from scratch using the objectives or goals of the area being assessed. The library can be used later to validate the risks that have been identified and to check that no significant risks have been forgotten. 

3. Using indicators to identify risks

Indicators show the movement in the likelihood or impact of a risk, in the design or performance of a control, or in the performance of a firm in relation to its objectives or processes. As such, existing indicators are useful in identifying the risks and controls on which the firm focuses. It is frequently possible to identify to which risk the indicators relate as the indicators are very often used to monitor the status of particular risks. However, key risk indicators (KRIs) and key control indicators (KCIs) are often mixed with key performance indicators (KPIs), so a first step is to sort the indicators. Although there will be business benefit in sorting indicators into logical and consistent sets, this activity is likely to be outside the scope of a risk and control self-assessment and will therefore generally be undertaken separately.

4. Using audit findings to identify risks

Internal and external audit reports are also a good source of risks. However, auditors will often consider a control failure to be a risk. From a risk management perspective this is not true and a control failure should be thought of as simply that – a failure of a control. These lead to risks but are not risks themselves, i.e., a failure of a control is often the cause of a risk event occurring. For example, an ineffective salary review may lead to the loss of key staff.  The risk is the loss of key staff – not an ineffective salary review.  

5. Using losses to identify risks

Losses are the monetary result of a risk occurring. Losses are often collected by firms, particularly in reports to the risk committee or the audit committee.  When loss causal analysis is used, this can be helpful in identifying the risks that have occurred and controls that have failed. However, the risks may have been identified without any reference to the business objectives or processes and are often couched as control failures, rather than as risks which resulted from the control failures.

Care must be taken and additional work will probably be required for the analysis to be used in the risk and control self-assessment.  A firm’s losses will only give a historical view of the risk to which it has previously been subject. It is therefore important to understand that there will be many more potential risks than are identified by a loss causal analysis.

Mastering Risk Management by Tony Blunden and John Thirlwell is published by FT International. : https://www.pearson.com/en-gb/subject-catalog/p/mastering-risk-management/P200000003761/9781292331317   

For more information contact us today on sales@risklogix-solutions.com