Smart Business spoke with James Martin, managing director at Cendrowski Corporate Advisors LLC, about the finer points of a CRP.
Setting up a CRP is an extension of the risk management process. It involves deep planning around what tools will be needed for specific threat types and proactively ensuring they will be available. When a risk actually occurs there will be no time for planning and coordination, so it needs to be done upfront. Consider who should be involved, both from a company perspective and any outside experts who would be required. Identify the information that’s essential to evaluate the extent of the threat and analyze an appropriate course of information. Also, consider procedures to ensure that data and information are adequately preserved and available for the CRP.
Challenging times present opportunities for organizations to perform detailed assessments of their operations. Performing operational assessments can help organizations identify, mitigate and take advantage of the risks that they face. These assessments focus on process design and execution risks.
“When properly performed, operational assessments identify areas where process design and execution risks are not aligned with an organization’s risk tolerance,” says James P. Martin, a managing director at Cendrowski Corporate Advisors LLC.
Smart Business spoke with Martin to learn more about operational assessments.
How can operational assessments help?
Organizations must achieve a diverse set of strategic objectives. This is accomplished by translating strategic objectives into what are often interdependent yet, disparate operational objectives.
Operational objectives include revenue growth, operational efficiency, compliance with laws and regulations, public perception, corporate responsibility and market leadership, as well as customer and employee satisfaction. Attainment of each requires the assumption of inherent risks.
Operational assessments focus on mitigating inherent process design and execution risks through the use of controls. Controls are employed to reduce an organization’s residual risk, or risk after control implementation, to a tolerable level.
What’s included in operational assessments?
Operational assessments examine whether an organization’s processes enable the achievement of strategic objectives. The first step is breaking down process design and execution elements into tasks performed by employees. This is often accomplished through employee interviews, as well as through observation in the workplace.
Once tasks have been identified, risks associated with the accomplishment of tasks are enumerated, as well as controls centered on mitigating risks. Risks are quantified by likelihood and impact. High-likelihood and/or high-impact risks are prioritized for mitigation in operational assessments, as they pose the greatest threat.
How can organizations decrease high-likelihood and/or high-impact risks?
High-likelihood risks can be decreased through preventive controls, while high-impact risks can be decreased by detective controls. For example, organizational training regarding fire hazards decreases the likelihood that a fire will occur. This is a form of preventative control. Proper placement of fire detectors throughout an organization’s premises decreases the potential impact should a fire occur. This is a form of detective control.
For risks that remain at a level too high for the organization to tolerate, new controls must be developed to bring residual risks in line with the organization’s risk tolerance. Otherwise, the organization should consider outsourcing the risk — for example, utilizing hedging strategies and insurance contracts that transfer risk to a third party.
What can be missed when performing operational assessments?
A key element that is sometimes missed by those performing operational assessments is the assignment of clear roles and responsibilities to team members who will oversee the creation and redesign of process controls. Without accountability, proper incentives are not present, and the operational assessment may struggle to achieve its intended results.
How do these assessments differ?
Risk assessments primarily assist organizations in preserving shareholder value, while operational assessments also help organizations grow shareholder value. More specifically, a risk assessment is really a deep dive into one component of an operational assessment. It involves the identification and analysis of potential risks that may impede an organization from achieving its strategic objectives.
By performing risk assessments across the organization, organizational managers can develop plans to mitigate the risks an organization may face, helping preserve its objective from potential threats and, hence, its shareholder value.
Actively identifying internal risks also can help organizational managers remove the opportunity for fraudulent activity. ●
Insights Accounting is brought to you by Cendrowski Corporate Advisors LLC