How to Conduct a Risk Assessment for your Business

Everyone knows how important it is to manage risks. However, most of us do not know where to start the process. If you already do not have a risk management process set up in your business, you could follow the steps below to conduct a simple risk assessment of your business.

It is important to keep in mind that Enterprise Risk Management is more than conducting a risk assessment, but also involves the framework, policies and procedures for managing risks.

While this article will not cover how to set up an ERM system in your organization, but it will help in coming up with a simple risk register for your business, which will prove to be an invaluable asset in managing your business risks.

If you would like assistance from our expert team of risk professionals certified by The Institute of Risk Management, feel free to drop us a line and we will have you covered.

1. Understand your business

It is impossible to conduct a risk assessment for your business without first understanding the business. Gather up your business plan, financial statements, strategic documents and get your staff members to participate in the process. Decide on the long and short term goals of your business, the critical success factors and the critical processes.

2. Conduct what-if scenarios to help identify risk events

There are different methods to identify risks. One method is to identify the critical process of the business and the key dependencies before running hypothetical scenarios to think about all the risks which can have an impact on these key dependencies. For instance; for a retailer, shop sales will be a critical factor and any event that reduces the number of customers visiting the shop will be a risk event. This will result in the identification of compliance and hazard risks.

Opportunity risks can be identified by looking at the goals of your business and the events that could have an impact on the achievement of those goals. These risk events can be originating from internal or external sources. An example of this will be identifying a risk event that can hinder your goal of opening an outlet at a new location. Identifying risk events based on your goals is a good method to use since it will be the number one priority for any business to achieve the goals they set for themselves.

However, in order for this method to be effective, it is very important that you have written down goals for your business, both for the long and the short term.

Following is an example of a risk assessment for the goal ‘open a new outlet in a new location by the end of the year’. The example is shown in the form of a risk register.

This process of identifying risks will enable you to compile all the risks in a risk register. ISO 31000 defines a risk register as a document used for recording risk management processes for identified risks. A risk register can also be formed for a project. This will enable the business to identify all the major risks that can hinder the achievement of project targets.

Risk classification systems enable the organization to classify risk. Classifying risk according to categories such as compliance (mandatory) risks, hazard (pure) risks, control (uncertainty) risks and opportunity (speculative) risks help organizations to understand how to deal with the risk. In general terms, organizations will seek to minimize compliance risks, mitigate hazard risks, manage control risks and embrace opportunity risks.

3. Assessing the identified risk events based on probability and impact

During the risk identification process it is often the case that numerous risks are identified. In order to reduce the amount of risk so that attention can be paid to the most important ones, it is important to apply a test of significance.

For risks that will have a financial or a commercial impact, the benchmark test is likely to be based on monetary value and for risks that could disrupt the infrastructure of the organization, a benchmark test can be based on the impact, cost and duration of disruption.

The next step of the risk assessment process involves assessing the identified risks based on likelihood and impact. It is common for risk practitioners to assess risks based on the current or residual level rather than the inherent level.

Risk likelihood indicates how often a risk is expected to materialize. For hazard risks, previous history can be a good indication of how likely the risk is to occur. The impact is the estimate of the harm that could be caused by the event.

This can be shown in a risk matrix which is a simple way of demonstrating the level of risk that a particular event represents to an organization. Shown below is an example of a risk matrix with impact on the horizontal axis and likelihood on the vertical axis. A risk matrix is often used to demonstrate the current level of risk after controls are applied.

Shading or colour coding is often used on the risk matrix to provide a visual representation of the importance of each risk under consideration. As risks move towards the bottom right-hand corner of the risk matrix, they become more likely and have a greater impact. Therefore, the risk becomes more important and immediate and effective risk control measures need to be in place.

4. Assigning responsible persons and monitoring strategies

It is very important to assign a responsible person for each risk identified. This person will be accountable for ensuring that the mitigation strategies highlighted in the risk register for the respective risk are being implemented and ensure that the risk is within a tolerable level.

5. Educating all relevant persons on the risk register

Education and training should be an ongoing element for a successful risk management process. Therefore, people need to be educated on how to conduct a risk assessment and how to update, monitor and review the risk register as well as the risk management process.

6. Reviewing the risk register

The risk register should be reviewed on a continuous basis, such as annually or more frequently if there are major changes to the business.