3. Analyse & Evaluate Risks

Risk Management Framework

Risks represent significant uncertainties about outcomes. Any uncertainty may be measured in two dimensions - the likelihood of the risk event occurring and the extent of the consequences if it were to occur.

Risk analysis generally involves the assignment of an overall risk rating to each of the risk events identified by following these steps:

  • Analyse inherent risk - What is the likelihood and consequence of a risk event if it were to occur in an uncontrolled environment?
  • Identify and evaluate controls - What existing controls are in place to address the identified risk and how effective are these controls in design and operation?
  • Analyse residual risk - What is the likelihood and consequence of a risk event if it were to occur in the current control environment?

Assessment criteria

Assessing risks assists in identifying, analysing and prioritising key business risks. It helps validate and prioritise key risks to monitor and it highlights any opportunities for improvements to current activities used as controls in the business. A risk assessment provides insight to significant inherent risks from a practice perspective and links these to a firm's objectives, strategies and business processes.

A firm needs to develop the criteria by which all risks will be assessed. Explore each criterion for qualitative examples that are suitable for use by midsize firms.

An assessment of likelihood and consequence is subjective, so constructive challenge of ratings by a range of stakeholders can assist in the development of robust risk assessments.

LIKELIHOOD

The probability of risk occuring, say within the next twelve months, that can be expressed in terms of a percentage between 0% and 100%

RATING POTENTIAL FOR RISK TO OCCUR PROBABILITY
almost certain Likely to occur frequently >90%
likely Likely to occur several times a year 50%-90%
possible Possibly occurs once a year 10%-50%
unlikely Likely to occur once every few years 5%-10%
rare May occur once in 5 years <5%
CONSEQUENCE

The potential outcome of a risk event that affects a firm's business objectives on the assumption that an event has occurred and the most probable consequence has resulted rather than the worst-case scenario.

RATING POTENTIAL FOR RISK TO OCCUR
catastrophic Could shut down practice/part of firm. Business objectives not achieved.
major Material impact on practice/firm. Key business objectives not achieved.
moderate Noticeable impact on practice/firm. Some business objectives not achieved.
minor Some impact that is easily remedied.
insignificant Impact not visible.
RISK RATING

The ranking assigned after considering the likelihood and consequence of a risk.

risk rating
CONTROL ASSESSMENT

Any action or activity that the firm has in place that either reduces the likelihood of a risk event occurring or minimises the potential for impact arising from that event.

RATING ACTION DESCRIPTION
effective Effective Controls and/or management activities are properly designed and operating as intended.
strong Limited improvement opportunity Controls and/or management activities are properly designed and operating, with limited opportunities for improvement identified.
adequate Moderate improvement opportunity Controls and/or management activities are in place, with opportunities for improvement identified.
needs improvement Significant improvement opportunity Limited controls and/or management activities are in place, high level of risk remains.
none Critical improvement opportunity Controls and/or management activities are non-existent or have major deficiencies and don't operate as intended.

Analyse the inherent risks

Initially risks are assessed on an inherent basis, considering the likelihood and impact of the risk without taking into account the controls in place in the firm. This helps to understand the importance of controls in mitigating risk.

For each risk identified:

  • Assess inherent likelihood - What is the probability of the risk event occurring if no controls were in place?
  • Assess inherent consequence - What is the extent of the most probable impact of the risk event occurring if no controls were in place?
  • Determine overall inherent risk ranking - Apply a risk rating to determine the overall ranking on the risk matrix.

For each risk, there should be only one overall inherent risk rating, regardless of whether multiple causes or consequences have been identified.

Identify and evaluate controls

A control is any action in place that either reduces the likelihood of an event occurring or reduces the potential consequence arising from the event. For each risk identified, there may be a single or multiple controls in place to address the risk.

For each risk identified:

  • Describe the existing control - What is the process, policy, device, practice or other action that is used to modify the likelihood or the consequence of the risk event occurring? If there is no existing control, there is a control gap.
  • Assess the effectiveness of the control - What is the overall effectiveness of the control in terms of the strength of its design and its operation?
  • Identify the control owner - Who owns the existing control? This is the person or role with accountability for ensuring that the control activity is in place and is operating effectively. The control owner does not necessarily perform the control activity, however, they should have a level of oversight of its performance.
  • Test of the control - When was the control activity last tested?
  • Review the control - When is the control activity due for testing and review?

Analyse the residual risk

Residual risk analysis involves the assessment of risk after existing internal controls are taken into account.

A control may be:

  • Designed to reduce the likelihood of the risk event occurring
  • Designed to reduce the consequence if the risk event occurs
  • Designed to reduce both the likelihood and consequence of the risk event
  • Absent, assessed to be of low design or is operating ineffectively. As a result the likelihood and consequence are not reduced.

For each risk identified:

  • Assess the residual likelihood - What is the probability of the risk event occurring within the current control environment? This should be determined after a review of the effectiveness of the control.
  • Assess residual consequence - What is the most probable impact of the risk event if it were to occur within the current control environment? Assume that the controls are operating at their assessed strength, rather than the maximum consequence if the controls were to fail.
  • Determine overall residual risk ranking - Apply a risk rating to determine the overall ranking on the risk matrix.

For each risk, there should be only one overall residual risk rating, based on the effectiveness of the controls in place to address the risk.

Example

The key output from the risk analysis and evaluation stage is an assessment of current control effectiveness and an overall risk rating for each identified risk. An example of how this can be documented in a risk register is shown:

example
RISK IDENTIFICATION   RISK ASSESSMENT
    Inherent Risk Analysis Control Assessment Residual Risk Analysis
Event   Likelihood Consequence Risk Rating Existing Control Control Effectiveness Owner Control Last Tested Review Likelihood Consequence Risk Rating
Failure to meet compliance obligations   POSSIBLE MAJOR HIGH Informal annual review process used to capture new compliance requirements and review/update existing requirements ADEQUATE Compliance Officer 30-Apr-12 31-Jan-13 UNLIKELY MAJOR TOLERABLE
Loss of Practitioner   POSSIBLE MAJOR HIGH No control activities in place NONE Partner N/A 30-Nov-12 POSSIBLE MAJOR HIGH
Failure to collect receivables in a timely manner   LIKELY MODERATE HIGH Ad hoc review NEEDS IMPROVEMENT Office Manager 30-Jun-12 30-Nov-12 POSSIBLE MODERATE TOLERABLE

For each risk, there should be only one overall residual risk rating, based on the effectiveness of the controls in place to address the risk.

Risk Analysis involves developing an understanding of the risk. Risk Analysis provides an input to Risk Evaluation, to decisions on whether risks need to be treated, and on the most appropriate risk treatment strategies and methods. Risk Analysis can also provide an input into making decisions where choices must be made, and the options may involve different types and levels of risk.

AS/NZS ISO 31000:2009