Assessing Firm Organizational Risk
Three key steps demystify the process.January 6, 2011
by Laurie Scofield, CPA and Eric Martinez, CPA, JD
Assessing organizational risk is among the pivotal first steps in establishing a risk management function within an organization. Our last article, How Does Your Firm’s Risk Management Process Stack Up? revealed the importance of conducting an organizational risk assessment and how the risk assessment process fits into the overall risk management function.
The three steps your firm should consider when executing an initial risk assessment are:
A practical, reasoned approach will provide your organization with the necessary tools to develop a comprehensive analysis of organizational risk that will be the foundation of all subsequent risk management activities.
An organizational risk assessment, broadly defined, is a structured means of identifying, assessing and rating the risks faced by an organization within the context of its financial reporting processes, operations and compliance with laws and regulations. It is designed to provide the organization with a structured means to harvest relevant information necessary to proactively consider the implications of such risks, and what actions, if any, the organization should take to mitigate those risks.
Advance preparation is critical to the successful execution of an effective organizational risk assessment. Since individuals from across organizational functions will be involved, the language used to articulate the components of the organizational risk assessment must be standardized and communicated throughout the risk assessment team, the audit committee and board of directors and the organization as a whole.
Communicating the definition of inherent risk is a good place to start. This would include the risk to an organization before the application or consideration of internal controls that would alter the underlying risk’s likelihood of occurrence and/or impact. For example, an inherent risk relating to cash is that cash can be easily stolen, temporarily borrowed or misappropriated. Internal controls implemented by an organization to mitigate the inherent risk would have a direct impact on the likelihood that cash balances could be misappropriated or misstated.
A well-structured, comprehensive organizational risk assessment should consider the key business and support functions of the organization and measure the inherent risks associated with those functions over a spectrum of broad risk factors. Create a comprehensive list of the significant processes and key support functions for your organization. Is there a single revenue process or multiple distinct revenue processes that need to be considered? For example, a retail organization may sell product in stores in addition to selling directly to consumers through the internet. Is technology a critical process or is it a support function within your organization?
The risk factors should be defined in advance and approved by those responsible for the overall risk assessment process, which may include the CFO, CEO and audit committee. The primary risk factors that an organization may consider evaluating in the organizational risk assessment include:
These risk factors need to be evaluated within each of the processes identified as significant within your organization. For example, how does reputation risk factor into your organization’s revenue process versus your organization’s HR process?
2. Execute and Rate
Comparing and contrasting risk factors across the organization are accomplished through an established risk rating system. Standardizing definitions and assigning quantitative factors whenever possible facilitates prioritization of identified risks. The likelihood of an inherent risk occurring as well as the impact to the organization if that risk should occur can best be defined in terms of a numeric rating scale. For example, a scale of one to five — representing virtually no possibility of a risk occurring all the way up to the likelihood that the risk is almost certain to occur — provides a standard language with which to discuss and define the inherent risks. Likewise, a scale of one to five would be established for rating the impact, one representing no impact up to five, representing highly significant material impact.
When applied to the concept of reputation risk, the possibility that unconventional sales techniques are employed in your organization’s revenue process might give rise to a higher likelihood (4 or 5) with a relatively significant impact (4 or 5) on the organization’s reputation. The combination of these ratings might then translate to an overall high rating for reputation risk within the revenue process.
Risk ratings are best assigned during healthy facilitated discussions of the inherent risk factors among process owners and key stakeholders. These discussions provide a 360-degree perspective of risks faced by the organization, which in turn provides the organization with the information necessary to make focused, value-added decisions with available resources.
Consider utilizing an Excel spreadsheet to document these discussions and capture the risk ratings. Create a tab for each significant process listing out the risk factors, with columns for rating the likelihood and impact, and assigning the resulting overall risk level. Key discussion points should also be documented as well as the underlying rationale for the ratings.
All too often organizations misallocate resources to the easiest fixes or the squeakiest wheel regardless of the level of risk. Comparing the ratings of the risk factors across the significant processes provides an overview of the risks to the organization and prioritizes risks and high risk processes for decision makers, leading to an appropriate allocation of resources.
The net effect of implementing and reporting on this type of comprehensive approach is multi–faceted:
ConclusionThe organizational risk assessment can be your first step in establishing a risk management function. Considering that the general business environment, economics and technology standards are continuously evolving and can have a significant impact on a business, an organizational risk assessment should be conducted or updated at least annually. Areas of high risk should be carefully evaluated for the adequate application of controls and monitored to ensure those controls are operating as designed.
Rate this article 5 (excellent) to 1 (poor). Send your responses here.
Laurie Scofield, CPA, is an independent consultant currently working in the New York Metropolitan area. Her risk management practice focuses on process improvement and internal control restructuring with an emphasis on technology and control automation. Scofield can be reached at (973) 223-5951. Eric S. Martinez, CPA, JD, is an audit partner at Grassi & Co. where he specializes in all aspects of accounting, including consulting and financial reporting. He has more than 20 years of public accounting and consulting experience serving clients across a wide variety of industries, including international companies. Martinez can be reached at (516) 336-2429.