The current economic situation has caused an upheaval of industries and driven long-standing organizations to the edge of bankruptcy, into bankruptcy or out of business.
It’s easy to assume the companies that found themselves in trouble hadn’t properly assessed their risks, but most of those organizations did have risk assessment procedures in place, says James P. Martin, CMA, CIA, CFE, CFD, CFFA, a senior manager at Cendrowski Corporate Advisors.
“They had analysts, auditors, very capable management staffs and risk management policies and procedures,” says Martin. “Regulators had increased the role of the board in risk assessment activities, mandated new audit procedures and defined many new compliance programs in the wake of the Sarbanes-Oxley Act. And still, these organizations were overtaken by factors that were not effectively addressed in their risk planning.”
Stories like these are leading shareholders, regulators, board members and management to ask how this could happen and what can be done to prevent it from happening to them.
Smart Business spoke with Martin about how to conduct risk assessments, how they should be structured and the pitfalls to avoid when performing them.
What does risk assessment involve?
The classic definition of risk assessment is identification of anything that is harmful to the organization’s objectives. The analysis should include both internal and external factors, and also cover financial and nonfinancial objectives. Risks are traditionally evaluated in terms of likelihood (What are the chances that this event could happen?) and impact (What would be the effects on the business’s objectives if it were to happen?). Turning these broad concepts into actions and responsibilities can create issues, most notably when defining how often the risk assessment activities should be performed and who should be involved.
Many organizations treat risk assessment as an annual task to involve senior management, internal audit or the risk and control department. This treatment, however, will miss the perceptions of employees involved in day-to-day operations, as well as eliminate the chance for refinements during the course of the year. In small and medium-sized organizations in particular, the risk management role is often bundled up with finance and becomes merely a ‘check box’ exercise.
What are some common mistakes businesses make when performing risk assessments?
Most risk assessment procedures are one-dimensional and do a poor job of identifying the impacts of cascading factors. For example, organizations might consider a power outage at a processing center as a risk and conclude that generators would power the center or employees would be able to work from home to process work.
Such plans were proved wrong by the Northeast Blackout of 2003, which left approximately 55 million people without power from New Jersey to Michigan, disabled most digital phone stations and caused a failure of water treatment plants. Additionally, some risk assessment procedures could fail to identify remote threats.
How could civil unrest in a remote country in Africa affect production of a product? If the country is a main producer of a rare element that is critical to a subcomponent of the product, such unrest could disrupt the supplier network.
How involved should a company’s board be with risk assessment?
The board sets the overall tone for the organization, and with risk assessment, it should primarily be driving and clearly defining the organization’s risk appetite. Risk appetite includes the long-term business strategy, the long-term and short-term expectations of the stakeholders of the organization, and the nature and characteristics of risks being considered.
The board needs to be involved to ensure that the organization considers the impacts of risk occurrence in a meaningful way. It also needs to champion risk management’s role in improving processes, integrating measurement and ensuring consistent application of best practices across the enterprise.
Most important, the board needs to be strong enough to stand up to management when it appears the organization is heading down a dangerous path without clearly defining the potential pitfalls that naturally come with any course of action.
Risk management cannot be viewed as an academic exercise, and board members must be serious about their duties. Board members must be well-versed in risk management techniques and be able to evaluate risk reports provided to them. Also, they must be independent and courageous enough to insist on an appropriate course of action, not just in bad times but in good times as well.
What other things need to be considered when conducting risk assessments?
Organizations need to strive to better integrate senior management, operations, the finance function and the risk assessment function in a continuous evaluation of risk factors in the context of the ongoing business. Financial plans and reports should include comprehensive risk indicators. This should be coupled with an adaptive organizational structure that is ready not just to respond to risk occurrences but also to seize the opportunities that are presented.
Also, companies need to use their organizational data resources, both information technology-based as well as human capital-based, to be able to more rapidly identify early warning signs and formulate alternative courses of action. Most important, there needs to be a fundamental change in which communication of risk factors is encouraged throughout all levels of the organization.
Open communication generates an atmosphere of honesty, which will help the organization gather and evaluate critical risk factors known throughout the organization.
James P. Martin, CMA, CIA, CFE, CFD, CFFA, is a senior manager for Cendrowski Corporate Advisors. Reach him at (866) 717-1607 or firstname.lastname@example.org.