top of page

Business Risk Assessments

Once issues have been validated and recorded, either as a result of an audit or internal review, the associated business risk needs to be assessed. A formal risk should be prepared and documented by the owner of the process where the exposure or problem was found.

The formal risk assessments should at least address the following elements:

  • Definition of the problem

  • Quantification of the risk

  • Development of alternatives

  • Calculation of the financial impact for each alternative

  • Selection of the optimum solution

  • Documentation of the decision

  • Categorization of the risk

  • Approval of the decision

  • Revalidation of the risk assessment and decision

Definition of the problem – The first step in a risk assessment is to state the exposure or problem that was identified

Quantification of the risk – The owner should take into consideration the following when quantifying the risk:

  1. Impact in slowing the business down

  2. Potential or actual dollar loss

  3. Cost of recovery

  4. Time to recover

  5. Possibility of fraud or theft

  6. Probability of occurrence

  7. Probable duration of the exposure

  8. Criticality to the business

  9. Cost of adding control

  10. Cost of alternatives

Development of alternatives - As a result of the assessment, a decision should be made as to a selection of one of the following alternative: either to continue with business as usual, enhance controls that are already in place or introduce new controls to the process.

Calculate financial impact for each alternative – The cost associated for each enhancement or new control to be developed needs to be calculated.

Select optimum solution – The business decision as to which alternative selected should be based on a financial impact. The cost of each alternative should be weighed against the financial impact of the business exposure. As a result, a decision should be made to either to accept the risk and continue with the business as usual, or not accept the risk and either establish new controls or enhance existing controls.

Document decision – The rational for the decision that is chosen should be fully explained within the formal risk assessment.

Categorize the risk – The owner of the risk should categorize the risk as either high, medium or low based on an evaluation of what the exposure could cost the business in tangible and intangible losses.

Approval of the decision – The decision should be approved by at least two levels of process management. Medium risks should be brought to the attention of the Chief Audit Executive and high risks brought to the attention of the Audit Committee.

Revalidation of the risk assessment and decision – It is necessary to evaluate all risk assessments on at least an annual basis with high risks possibly evaluated more frequently. Revalidation is necessary as there might be changes in the environment, organization, company’s position, economic situations, etc., during the interim. These factors could have an impact on the decision that was first made when evaluating the risks; it may no longer be valid, hence the need for revalidation and reassessment.

Ed Danter

Featured Posts
Recent Posts
Search By Tags
No tags yet.
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square
bottom of page