There are pivotal decisions made in our lives and careers that can lead to undesired consequences. Often, these undesired consequences can be mitigated by assessing risk on a regular basis before decisions are made. Risk assessment is a great tool to aid in making risk informed business decisions. The following questions remain: What is risk and how can risk be identified and mitigated?
Risk is comprised of two parts: (1) the possibility of losing something of value, and (2) the impact if an event does occur.
There are two general types of risks that face businesses, internal and external.
• Internal risk is the threat that something or someone within your business is going to compromise business operations. Types of internal risks include human, physical, and technological.
• External risk is the threat that something outside the business is going to compromise business operations. Types of external risks include economic, natural, and political.
Assessing internal and external risk can be accomplished by performing the following procedures:
1) Identifying risk:
Internal risks are inherently easier to identify and control. Identification of internal risk is best assessed by integrating internal controls into business operations and then identifying weaknesses in those controls. The focus of these controls are effectiveness, efficiency, and reliability of reporting. Examples of internal business risks include the following: the departure of a key employee, dishonest employees, ineffective management or leadership, theft and embezzlement, outdated operating systems and computer equipment.
External risks are events that cannot be controlled by one person or forecasted with a high degree of reliability. As a result, it’s difficult to reduce external risks. Events considered to be external business risks include: economic downturns, new competitors, changes in consumer behavior, natural disasters, and changes in the political environment or governmental policy.
2) Valuing risk:
The next step is to assign a value to each risk. This value represents the impact on the business should the identified risk occur. To value each identified risk, gather as much data as possible to accurately assess the consequences of each event occurring. The risk value is equal to the probability of the risk multiplied by the cost to the company if the risk were to occur.
3) Managing risk:
There are several ways to manage risk, including:
o Mitigating the risk: This involves putting contingency plans in place. Having a contingency plan will allow a company to move forward with minimal downtime in the event a risky situation occurs. For instance, if your company is hosting a promotional event that is held outdoors, such as a festival, there is a risk that it might rain. If it were to rain, attendance is likely to decrease, and in turn, decrease the potential profit from the event. Possible ways to mitigate the risk of rain would be to rent a large tent to provide shelter from the rain or provide umbrellas for attendees.
o Avoiding the risk: In drastic circumstances, if the risk value and consequences are too high, risk could be avoided completely by cancelling or stopping the high-risk business initiative. For example, if a new product launch could cripple the company financially, you could pull the launch until the company’s finances stabilize.
o Sharing the risk: In this case, the risk could be shared with, or transferred to, another party. This applies mainly to financial risks and situations that can be identified and written into contracts. One example is insuring yourself against the risk of fire. The insurer carries the financial risk if a fire destroys the company’s office building.
o Accept the risk: Of course, you can always do nothing. You should, though, make a conscious, informed choice to accept the risk. Do not opt for it by default because other options have not been carefully examined. This strategy works best for minor risks where the impact is small, or for risks that are unlikely to occur, such as floods and earthquakes.
4) Review regularly:
To ensure that risk mitigation techniques are working properly and that you are aware of risks that may pose threat, review the work environment and controls in place at regular intervals throughout the year, as deemed necessary.
Knowing how internal and external risk factors affect your company can protect it and help it thrive. Increasing your awareness of business risks and adopting a thorough risk assessment process as discussed above, will lead to increased readiness resulting in a more favorable outcome should an event occur. For assistance in application of risk assessment procedures, please contact Kristi Yanover, Audit Partner, at (858) 558-9200, or any member of our Assurance & Advisory Services team.