There's a sweet spot when it comes to managing enterprise risk. It's the balance of risk assumed by the business and the business benefit. It's a case of the three bears--too much risk and the business is not rewarded properly, too little risk and the business can't grow like it should, the "just right" risk is one where risk is balanced with an appropriate reward.
Today I'm writing about Risk Assessment. By this point we should have defined our guidelines and have alignment with the company strategy. Those two previous points are an important part because by now we should have a handle on what are our high level strategic goals for our business.
In this step three we begin to identify what risks face our business. This step is critical to the overall risk management program because without this step we can not see what barriers might stand in the way to achieving our company objectives.
The risk assessment process should take place in a very structured and regimented manner. The assessment should include folks from all lines and levels within the business--from front line employees through executive management. Depending on the size of your business this can be a huge undertaking, so there's a few ways you can approach this whether it's a risk manager performing interviews at smaller company or performing risk self-assessments for later aggregation at a large company. In any case the process needs to start with identifying folks who know something about the risk areas you are trying to assess. From here you can get as structured as you want and whether you choose to use something as structured as Cobit-type of model to assess risk or you kick the tires and try to uncover barriers to achieving the company objective your methodology needs to be applied uniformly across all your subjects otherwise you'll have problems down the road aggregating feedback to achieve a consolidated view on risk.
Once you've identified risks you can start to assess potential impact, business vulnerability to the risk, and expected likelihood. This information should be consolidated into a report that describes specific risks and significance of each risk, and now your risk managers and executive leadership teams can review feedback and provide insight to higher-level enterprise risks not seen from lower levels in the enterprise. By this point you should be starting to see some trends and commonalities in risks across the enterprise.
Next week I'll write about action planning, risk response, and risk mitigation.
