3. Analyse & Evaluate Risks

Risk Management Framework

Risks represent significant uncertainties about outcomes. Any uncertainty may be measured in two dimensions - the likelihood of the risk event occurring and the extent of the consequences if it were to occur.

Risk analysis generally involves the assignment of an overall risk rating to each of the risk events identified by following these steps:

  • Analyse inherent risk - What is the likelihood and consequence of a risk event if it were to occur in an uncontrolled environment?
  • Identify and evaluate controls - What existing controls are in place to address the identified risk and how effective are these controls in design and operation?
  • Analyse residual risk - What is the likelihood and consequence of a risk event if it were to occur in the current control environment?

Assessment criteria

Assessing risks assists in identifying, analysing and prioritising key business risks. It helps validate and prioritise key risks to monitor and it highlights any opportunities for improvements to current activities used as controls in the business. A risk assessment provides insight to significant inherent risks from a practice perspective and links these to a firm's objectives, strategies and business processes.

A firm needs to develop the criteria by which all risks will be assessed. Explore each criterion for qualitative examples that are suitable for use by sole practitioners and small firms.

An assessment of likelihood and consequence is subjective, so constructive challenge of ratings by a range of stakeholders can assist in the development of robust risk assessments.

LIKELIHOOD

The probability of risk occuring, say within the next twelve months, that can be expressed in terms of a percentage between 0% and 100%

RATING POTENTIAL FOR RISK TO OCCUR PROBABILITY
almost certain Likely to occur frequently >90%
likely Likely to occur several times a year 50%-90%
possible Possibly occurs once a year 10%-50%
unlikely Likely to occur once every few years 5%-10%
rare May occur once in 5 years <5%
CONSEQUENCE

The potential outcome of a risk event that affects a firm's business objectives on the assumption that an event has occurred and the most probable consequence has resulted rather than the worst-case scenario.

RATING POTENTIAL FOR RISK TO OCCUR
catastrophic Could shut down practice/part of firm. Business objectives not achieved.
major Material impact on practice/firm. Key business objectives not achieved.
moderate Noticeable impact on practice/firm. Some business objectives not achieved.
minor Some impact that is easily remedied.
insignificant Impact not visible.
RISK RATING

The ranking assigned after considering the likelihood and consequence of a risk.

risk rating
CONTROL ASSESSMENT

Any action or activity that the firm has in place that either reduces the likelihood of a risk event occurring or minimises the potential for impact arising from that event.

RATING ACTION DESCRIPTION
effective Effective Controls and/or management activities are properly designed and operating as intended.
strong Limited improvement opportunity Controls and/or management activities are properly designed and operating, with limited opportunities for improvement identified.
adequate Moderate improvement opportunity Controls and/or management activities are in place, with opportunities for improvement identified.
needs improvement Significant improvement opportunity Limited controls and/or management activities are in place, high level of risk remains.
none Critical improvement opportunity Controls and/or management activities are non-existent or have major deficiencies and don't operate as intended.

Analyse the inherent risks

Initially risks are assessed on an inherent basis, considering the likelihood and impact of the risk without taking into account the controls in place in the firm. This helps to understand the importance of controls in mitigating risk.

For each risk identified:

  • Assess inherent likelihood - What is the probability of the risk event occurring if no controls were in place?
  • Assess inherent consequence - What is the extent of the most probable impact of the risk event occurring if no controls were in place?

Identify and evaluate controls

A control is any action in place that either reduces the likelihood of an event occurring or reduces the potential consequence arising from the event. For each risk identified, there may be a single or multiple controls in place to address the risk.

For each risk identified:

  • Identify the existing control - What is the process, policy, device, practice or other action that is used to modify the likelihood or the consequence of the risk event occurring? If there is no existing control, there is a control gap.
  • Assess the effectiveness of the control - What is the overall effectiveness of the control in terms of the strength of its design and its operation?

Analyse the residual risk

Residual risk analysis involves the assessment of risk after existing internal controls are taken into account. Changes from inherent to residual ratings will be dependent on whether controls are designed to address the likelihood of the risk, the consequence of the risk or both.

For each risk identified:

  • Assess the residual likelihood - What is the probability of the risk event occurring within the current control environment? This should be determined after a review of the effectiveness of the control.
  • Assess residual consequence - What is the most probable impact of the risk event if it were to occur within the current control environment? Assume that the controls are operating at their assessed strength, rather than the maximum consequence if the controls were to fail.

For each risk, there should be only one overall residual risk rating, based on the effectiveness of the controls in place to address the risk.

Example

The key output from the risk analysis and evaluation stage is an overall risk rating for each identified risk after an evaluation of current control effectiveness. An example of how this can be documented in a risk register is shown:

example
RISK IDENTIFICATION RISK ASSESSMENT
Event Cause Consequence Likelihood Consequence Risk Rating
Failure to meet compliance obligations Inadequate compliance training and/or poor compliance monitoring Increased costs due to fines for breaches and/or reputation damage UNLIKELY MAJOR TOLERABLE
Loss of Practitioner Death or incapacity of Practitioner Failure of or diminution in value of the Practice POSSIBLE CATASTROPHIC VERY HIGH
Failure to collect receivables in a timely manner Slow payment from debtors
Poor monitoring of outstanding debtors
Poor cash flow
Outstanding debts uncollectable
Loss of revenue
LIKELY MAJOR VERY HIGH

For each risk, there should be only one overall residual risk rating, based on the effectiveness of the controls in place to address the risk.

Risk Analysis involves developing an understanding of the risk. Risk Analysis provides an input to Risk Evaluation, to decisions on whether risks need to be treated, and on the most appropriate risk treatment strategies and methods. Risk Analysis can also provide an input into making decisions where choices must be made, and the options may involve different types and levels of risk.

AS/NZS ISO 31000:2009