In my recent article, “Balancing Act: Do You Have Too Many Controls, or Too Few?” I summarized the COSO framework for managing risk. In this article, I dig deeper into the assessment side of managing risk.
How well does your management team know the risks imbedded in your business? Understanding risk in your organization is instrumental in protecting and successfully growing your company.
By practicing sound risk management, you will identify and manage risks that could jeopardize your company’s earning capacity and assets. The process begins with a risk assessment.
Use the following objectives to develop your risk assessment process:
1. Identify your companies risk management goals;
a. Stakeholder Protection
b. Physical Property Protection
c. Intellectual Property Protection
2. Determine the best method of risk management to meet the goals;
3. Assessing potential for fraud risk; and
a. Access to assets (tangible and intangible)
b. Authority to buy, sell, dispose of or move assets
c. Security to safeguard assets
4. Identifying and analyzing the impact of significant change.
a. What are the new risks created by the change
b. Apply points 2 and 3 above to the new risks
Types of Risk
It’s critical to consider every aspect of your business when identifying risks. Some may be common and others may be unique to your operation. For example, a company with expensive inventory will need strong controls in place to protect that inventory. A company with a large investment in research and development will need strong patent and non-disclosure protection.
Types of risk can include financial, human, intellectual, legal, physical and technological issues. It is also important to assess risks such as natural disasters or fires, and those linked to product development or economic forecasting.
Identifying a risk should lead to determining the probability of occurrence and the potential financial damage that could result from a failure or other adverse occurrence. Once the risks are identified and analyzed, you will need to establish the controls.
Controls are put in place to mitigate or manage the risk. Depending upon the nature of the risk, the control may take forms such as insurance, business practices, in-house policies or even physical barriers.
Because every business is different, the type of control you choose to implement will vary. For example, the Department of Defense will have very stringent rules and regulations and a manufacturer working with a customer in developing a product may limit access to technology with patents.
Below are examples of controls to mitigate the risks highlighted above:
- Financial – Preparing a business plan and evaluating your expertise, the industry or the market to determine what undertakings are financially viable.
- Human – In addition to maintaining a safe work environment to protect employees, companies can protect their human capital through training, effective goal setting and evaluation systems. Compensation structures will help by retaining the employees best suited to help the company thrive and grow.
- Legal – Ensuring compliance with properly negotiated agreements such as employment contracts, franchise requirements or leases.
- Physical – Having adequate insurance to cover damage and downtime from events such as spills, floods and explosions are common; today, that has expanded to such acts as terrorism and data breaches or viruses.
- Intellectual – Knowledge and innovations of the mind can be protected through copyrights, design rights, patents, trademarks or trade dress.
A crucial aspect in the process of conducting a risk assessment, making decisions and implementing appropriate controls is timing. Not all risks can be prevented or controlled, and some may even be too costly to mitigate. However, taking a proactive approach and having your response and recovery plans in place beforehand will reduce the chance of having an unforeseen risk destroying your company.