As the business risk landscape continues to evolve and increasingly become complex, it is important for organizations to conduct their risk and control assessments effectively and efficiently in order to achieve their strategic objectives.
The risk and control assessment can be qualitative, quantitative or both and the objective is to help the organization to identify, measure and monitor the risks it is exposed to and the controls put in place to mitigate the impact of these risks.
A risk and control assessment can be carried out at the organization’s strategic, process and activity level.
For example, by carrying out the risk and control assessment at the strategic level, the organization is able to takes a bird’s eye view of risks and controls from the business objectives level.
Similarly, at the process level, the organization is able to identify and evaluate the various processes it undertakes, their objectives, inherent risks and any bottlenecks in controls implemented.
Conducting a risk and control assessment is not a box-ticking or just a risk listing exercise. Done properly, risk and control assessment enhances strategic planning and execution and help improve business performance.
It is therefore important that prior to carrying out the risk and control assessment the management team fully understands the benefits of such an activity to the organization.
Some of the benefits that accrue to the organization from effectively and efficiently conducting a risk and control assessment include:
- The board and senior management get a clearer understanding of all the enterprise risks which the business faces.
- Risks which have insufficient controls are identified which results in action plans being set to enhance existing controls and implement new controls.
- The board and senior management are able to identify opportunities for profitable risk-taking and business optimization.
- Embedding ERM processes into the core business processes which results in increased acceptance of a risk culture in the business.
- Improved communication of the organization’s view of its risks and controls which leads to better response to issues within the business because the risks are more clearly understood.
In addition to knowing and understanding the benefits of an effective and efficient risk and control assessment to the business, it is also important to know the conditions necessary for conducting a successful risk and control assessment.
One of the requirements is an ERM framework. Without an ERM framework, it is difficult for employees throughout the organization to have a clear understanding of the organization’s structure and processes in the areas of risk identification and controls and how the risk and control assessments align with the overall management and governance of enterprise risks.
Board commitment and sponsorship is also required prior the risk and control assessment.
It is the responsibility of the board to approve the organization’s ERM policy and without the board’s buy-in, the risk and control assessment is most likely to face resistance at the lower ranks which will result in the organization not being able to identify, monitor and evaluate the risks it faces and the existing controls.
In addition to an ERM framework and board commitment and sponsorship, risk and control assessments should begin at the strategic level. A risk and control assessment should be conducted in relation to the business’s strategic objectives because business objectives provide a focus and the appropriate level for the risk and control assessment to place its risks.
Furthermore, in order for the risk and control assessment to be successful, the organization’s processes and activities must be thoroughly mapped so as to capture all the processes and ensure the identification of risk points and as well as areas of weak controls.
This risk and control analysis will ultimately lead to process improvements, particularly through the application of business process improvement techniques such as Six Sigma and Lean analyses.
Lastly, a successful risk and control assessment requires:
- Risk events to be clearly defined in terms of cause and effect.
- A risk owner to be identified and appointed and given responsibility to manage risk events.
- The evaluation of risk controls in terms of their design and performance.
- The appointment of a control owner responsible for implementing control procedures and the creation of action plans that modify or add to existing controls to ensure that the organization’s risk is within the agreed appetite.