Assessing risk
Assessing risk is a process in enterprise risk management that involves determining how much risk a company faces. While assessing risk can focus entirely on evaluating the negative impact of a company's exposure to uncertainty, it can also be used to identify potential opportunities.
Developing assessment criteria
The first step in the risk assessment process is to develop a common set of assessment criteria that can be used across operating segments, entities, or business units.
If your company or department is new to enterprise risk management, you can begin by assessing risk in terms of likelihood and impact. Once you have refined your assessment process and gained more insight into your company risk profile, you can begin evaluating risk across additional dimensions, such as vulnerability and velocity.
For detailed information on developing assessment criteria, see Configuring risk scoring settings.
Assessing inherent risk
Inherent risk is a calculation that derives from an assessment of an untreated risk. It is the raw risk a company faces if no controls or other mitigating factors have been put in place.
How do I assess inherent risk?
You assess inherent risk based on the risk scoring framework your company defined.
Assessing inherent risk involves:
- associating risks with strategic objectives defined in the Strategy Map
- assessing risk across all operating segments on multiple risk scoring factors
The table below describes three approaches you can use to assess inherent risk:
Approach | Useful for... | Information |
---|---|---|
Collaboratively assess risk using a Risk Workshop | companies that want to discuss and collaborate on risk scoring in Diligent One | |
Individually assess risk in Risk Profile | companies that want to manually enter data into their Risk Profile after conducting discussions outside of the Diligent One platform | Assessing inherent risk |
Use assessment drivers to automate risk assessments | companies that want to automate risk assessments and notify key stakeholders when changes occur | Automating strategic risk assessments |
Defining risk treatment
Risk treatment are the measures a company takes to mitigate risk. Measures may include initiatives, programs, policies, or control objectives, which you can create in the Projects app and link to strategic risks in the Strategy app.
How do I define risk treatment?
After you assess inherent risk, you can define risk treatment. You define risk treatment by linking objectives in the Projects app to strategic risks in the Strategy app. This linkage allows you to aggregate assurance information and testing results from Projects and assess residual risk in Strategy.
For more information, see Defining risk treatment.
Assessing residual risk
Residual risk is a calculation that derives from an assessment of how much risk remains after controls and other mitigating factors have been put in place. Residual risk is important for showcasing where the areas of highest risk are in the company so that resources can be deployed accordingly.
How do I assess residual risk?
After assessing inherent risk and defining how the risk is being treated, you perform a preliminary treatment evaluation that assesses how much the treatment reduces the risk. This allows you to identify areas where the business is exposed to risk beyond the company's risk appetite.
Assessing residual risk involves specifying a treatment percentage to define how much of the treatment reduces the inherent risk. The treatment percentage is based on the expected effectiveness of treatment efforts in place, before controls have been tested to provide assurance.
For steps on assessing residual risk, see Assessing residual risk.
Identifying risks vs. opportunities
Once you have finished your inherent risk assessment and preliminary treatment evaluation, you can better understand the areas of the company that are of most concern. You may want to monitor the risks that most impact your company, and ensure that treatments are sufficiently reducing the impact of the risk.
Sometimes, the preliminary treatment evaluation may show that you are investing in too many resources to mitigate a risk (Treatment% >= 100%). In this case, the risk assessment shows potential opportunities for reducing the amount of treatment to a particular risk, and scaling back resources associated with the risk treatment.