By Ciara Jackson
Ciara is the Food, Agribusiness & Beverage EMEA Industry Vertical Leader & Risk Consulting Leader for Aon Ireland.
To help ensure risks are identified, assessed, prioritised, and managed effectively, establishment or improvement of risk management tools is required. These include an enterprise-wide risk register, appropriate risk assessment criteria and action plans for mitigating risk or maximising opportunities.
What Is a Risk Register?
A risk register typically lists all key risks identified by the business that could impact objectives. Best practice is for each risk to be assessed based on likelihood (how likely is it that the risk will occur) and severity (impact on the business if the risk to materialises). Some risks carry a high likelihood and a low severity, whilst others have a low likelihood and a high severity, these are commonly referred to as ‘Black Swans’.
Research by Aon[1] identified that business leaders use a variety of methods to identify risk in their business:
• Board and/or management discussion of risk during annual planning processes
• Senior management judgement and experience
• Risk information from teams such as internal audit and compliance
• Structured enterprise-wide risk assessment process
• Industry analysis
• External reports
How Risk Identification Can Add Value to Your Business
For time invested in risk assessment to add value to the business, it is important that risk management is linked to the business strategy and decision-making processes. Risk identification needs to be simple, pragmatic and effective. Risk identification is most successful when undertaken in an interactive and collaborative manner, where senior leaders invest time to discuss risk and opportunity and the potential consequences of each.
Businesses often assess whether the risks are internal to their company, and within their control, or external and therefore beyond their direct control.
Ideally, risks should be grouped into categories, as the table in the example below illustrates:
Conducting risk assessment helps businesses:
- evaluate and prioritise risks
- map current controls against priority risk exposures
- identify risk control improvement opportunities
- define key solutions and principal requirements of risk control
- identify opportunities to improve the company’s approach to managing business risks.
Creating a Risk Register
In our experience, conducting a risk identification and assessment workshop annually is one of the most effective ways a company can identify its risk exposure. Simply put, this involves a cross-functional senior team getting together to discuss risk. Various teams often prepare in advance of the session. For example, HR will assess all the people and talent related risks before the session, similarly the sales team will consider commercial risk, so when the group comes together a holistic view of the business risk is discussed. That way challenging external risks such as climate change, or trade wars, can be considered by the business.
One of the simplest and most effective ways to assess the impact of risks identified is to present the top risks (maximum of 20) on a heat map, with the vertical axis showing severity (impact) and the horizontal axis showing likelihood, as per the graphic above. Each numbered circle represents a risk. Those risks that are in the top right are the ones management should focus on – risks that are highly likely to occur and will have a severe impact.
One of the simplest and most effective ways to assess the impact of risks identified is to present the top risks (maximum of 20) on a heat map, with the vertical axis showing severity (impact) and the horizontal axis showing likelihood, as per the graphic above. Each numbered circle represents a risk. Those risks that are in the top right are the ones management should focus on – risks that are highly likely to occur and will have a severe impact.
The output from this workshop is a risk register, which should:
- Describe the risk succinctly in the form of a risk statement – for example ‘Failure to attract, retain and develop high calibre staff will result in poor service to customers’. The risk statement describes the risk, and the consequence and impact of the risk.
- Many businesses will have a variety of mitigations in place, to help to manage the risk. For the talent example:
- Better clarity on pay and rewards structure
- More visibility of senior management team
- Improve internal recruitment and promotion process
The final step to ensure risk is managed within the business is to assign an owner to each risk. This ensures accountability for measuring and managing the risk and is a simple and effective way to managing progress with risk improvement initiatives.
Horizon Scanning for Emerging Risks
A significant benefit of successful risk identif
ication is that it enables continuous scanning of the ‘horizon’. To keep risk registers alive in your business, an important element of risk identification is to maintain an emerging risk inventory.
ication is that it enables continuous scanning of the ‘horizon’. To keep risk registers alive in your business, an important element of risk identification is to maintain an emerging risk inventory.
Emerging risks are defined as ‘those risks that have not yet been recognised, or those which are known to exist, but are not well understood'. Emerging risks bring:
- high level of uncertainty and volatility
- lack of consensus
- unique organisational impact
- difficult to communicate
References:
[1] Aons Global Risk Management Survey 2019