How to Assess Risk
In operations, financial reporting and compliance, risks need to be identified and analyzed. Assessing risk enables you better achieve your group's goals by helping you determine how pitfalls should be managed.
Who is Responsible?
Managers must determine the level of operations, financial and compliance risk they are willing to assume. Assessing risk enables managers to proactively reduce unwanted surprises.
How to Identify Risk
A risk is anything that could jeopardize the achievement of an objective. It's important that risks be comprehensively identified for each objective at the department level and at the activity or process level. Both external and internal risk factors must be considered. Usually, several risks can be identified for each objective.
To identify risks, consider:
- What could go wrong?
- How could we fail?
- What must go right for us to succeed?
- Where are we vulnerable?
- Which assets do we need to protect?
- Do we have liquid assets or assets with alternative uses?
- How could someone steal from the department?
- How could someone disrupt our operations?
- How do we know whether we are achieving our objectives?
- On what information do we most rely?
- On what do we spend the most money?
- How do we bill and collect our revenue?
- Which decisions require the most judgment?
- Which activities are most complex?
- Which activities are regulated?
- What is our greatest legal exposure?
These are transactions that deserve a thoughtful risk review. Here are some examples:
- Assets with alternative uses
- Cash receipts
- Confidential information
- Consultant payments and other payments for services
- Equipment delivered directly to department
- Equipment moved off location
- Grants (meeting terms, not overspending)
- Intellectual property
- Payments to non-vendors
- Payroll (rates, changes, terminations)
- Petty cash
- Purchase exemptions (Sole Source)
- Software licensing issues
- Travel expenditures
After risks have been identified, an analysis should be performed to set priorities:
- Assess the likelihood (or frequency) of the risk occurring.
- Estimate the potential impact if the risk were to occur. Consider both quantitative and qualitative costs.
- Determine how the risk should be managed; decide what actions are necessary.
Prioritizing helps departments focus their attention on managing significant risks such as risks with reasonable likelihoods of occurrence and large potential impacts.
Risk Assessment Tips
- Make sure the department has a mission statement and written goals and objectives.
- Assess risks at the departmental level.
- Assess risks at the activity (or process) level.
- Complete a Business Controls Worksheet for each significant activity (or process) in the department; prioritize those activities (or processes) that are most critical to the success of the department and those activities (or processes) that could be improved the most.
- Make sure that all risks identified at the department level are addressed on the Business Controls Worksheet.