Having worked with numerous Fortune 500 companies on a range of governance, risk and compliance initiatives during the past several years, I have witnessed a wide variety of methods for evaluating impact and likelihood. Some have included a three point (low, medium and high) qualitative scale, where others have utilized statistical analysis of materiality and historical loss data in conjunction with risk modeling techniques such as Monte Carlo.
One significant trend that I have seen is the emergence - and increasing - use of a risk rating maturity model. Companies with less mature risk management programs have begun by utilizing a simple qualitative approach and have moved to a more mature quantitative approach as better data becomes available and the need for sophistication arises. In most cases, those who take the prescriptive steps to avoid the risk evaluation “landmines” listed here, usually are the most successful. No matter where you are on the continuum, here are three scenarios to avoid at all costs:
Risk Evaluation Pitfalls
- Trying to get too mature too fast
If an organization develops a sophisticated model for evaluating inherent risk but does not make sure the model is fully understood among all risk managers, the company will struggle to implement it correctly. In addition, it will take so long for individuals to generate the risk rating that they will have no time to analyze the results. Finally, the results will provide so much data that the organization will not be able to know what it all really means. This is a typical case of “analysis by paralysis.”
- Taking too long to decide on one approach
A different problem often comes into play when trying to decide what evaluation method to utilize. Many companies conduct countless meetings with too many stakeholders arguing about which approach to take. Each person comes to the table with his or her own ideas and motives, trying to impose those thoughts on the rest of the group. This approach wastes valuable resources and time.
- Leveraging a single evaluation method for all risks
A third pitfall involves trying to push a square peg through a round hole. Organizations often select a risk evaluation methodology that seems reasonable, but they quickly discover that they have not put it into the right perspective for the unique needs of their organization. For instance, measuring the potential impact of a risk by evaluating the materiality of the business unit and tying that to the risk and the criticality of the asset being threatened can be an unreasonable approach when not all risk can be financially quantified. In addition, what may be considered material or critical to one business unit may not be when evaluated at the global level.
Unfortunately, risks are all around us and they are not going away. In order to effectively manage risks, companies must adopt an integrated platform approach to risk management rather than the traditional reactive “project” mode of operation. This integrated platform approach begins with a risk inventory of all potentials threats to the organization, which is sourced utilizing top-down and bottom-up data collection techniques.
Risks are then evaluated for impact and likelihood to determine an inherent risk rating. The rating is determined by employing a risk rating maturity model based on evolving the complexity of the rating from qualitative to quantitative measures over time. The residual risk rating is then determined for each risk based on the existence of effective mitigating controls and the status of mitigation response techniques.
The effectiveness of controls should be based on compliance testing already taking place throughout the organization, thus linking risk and compliance. The risk inventory and related evaluation is a simple process but requires an effective tool to manage the data. A comprehensive GRC solution is the most appropriate selection as it can link data that already exists in other processes and enable the evolution of the company’s methodology over time.
At the end of the day, the most effective approach to risk management is one that leverages a highly scalable platform by which new risks and regulations can be appropriately responded to relative to the threat they represent. If I’ve learned anything from my interactions with customers, it is that executive management is able to make the best decisions when they can fully evaluate risk data from across the entire enterprise.
About David Walter
A seasoned finance professional, David Walter provides expert insight into compliance and risk challenges. Walter currently serves as director of GRC product management for Archer Technologies, a provider of enterprise governance, risk and compliance (GRC) solutions, where he directs the vision of all GRC solutions including Risk, Vendor, Compliance and Audit Management. A CPA, he formerly served a diverse set of public and private companies, with roles including director of internal audit, CFO and vice president of finance. To learn more about David Walter or Archer Technologies, please visit www.archer.com.
No comments have been posted yet.