Risks represent significant uncertainties about outcomes. Any uncertainty may be measured in two dimensions - the likelihood of the risk event occurring and the extent of the consequences if it were to occur.
Risk analysis generally involves the assignment of an overall risk rating to each of the risk events identified by following these steps:
- Analyse inherent risk - What is the likelihood and consequence of a risk event if it were to occur in an uncontrolled environment?
- Identify and evaluate controls - What existing controls are in place to address the identified risk and how effective are these controls in design and operation?
- Analyse residual risk - What is the likelihood and consequence of a risk event if it were to occur in the current control environment?
Assessment criteria
Assessing risks assists in identifying, analysing and prioritising key business risks. It helps validate and prioritise key risks to monitor and it highlights any opportunities for improvements to current activities used as controls in the business. A risk assessment provides insight to significant inherent risks from a practice perspective and links these to a firm's objectives, strategies and business processes.
A firm needs to develop the criteria by which all risks will be assessed. Explore each criterion for qualitative examples that are suitable for use by sole practitioners and small firms.
An assessment of likelihood and consequence is subjective, so constructive challenge of ratings by a range of stakeholders can assist in the development of robust risk assessments.
The ranking assigned after considering the likelihood and consequence of a risk.
Analyse the inherent risks
Initially risks are assessed on an inherent basis, considering the likelihood and impact of the risk without taking into account the controls in place in the firm. This helps to understand the importance of controls in mitigating risk.
For each risk identified:
- Assess inherent likelihood - What is the probability of the risk event occurring if no controls were in place?
- Assess inherent consequence - What is the extent of the most probable impact of the risk event occurring if no controls were in place?
Identify and evaluate controls
A control is any action in place that either reduces the likelihood of an event occurring or reduces the potential consequence arising from the event. For each risk identified, there may be a single or multiple controls in place to address the risk.
For each risk identified:
- Identify the existing control - What is the process, policy, device, practice or other action that is used to modify the likelihood or the consequence of the risk event occurring? If there is no existing control, there is a control gap.
- Assess the effectiveness of the control - What is the overall effectiveness of the control in terms of the strength of its design and its operation?
Analyse the residual risk
Residual risk analysis involves the assessment of risk after existing internal controls are taken into account. Changes from inherent to residual ratings will be dependent on whether controls are designed to address the likelihood of the risk, the consequence of the risk or both.
For each risk identified:
- Assess the residual likelihood - What is the probability of the risk event occurring within the current control environment? This should be determined after a review of the effectiveness of the control.
- Assess residual consequence - What is the most probable impact of the risk event if it were to occur within the current control environment? Assume that the controls are operating at their assessed strength, rather than the maximum consequence if the controls were to fail.
For each risk, there should be only one overall residual risk rating, based on the effectiveness of the controls in place to address the risk.
Example
The key output from the risk analysis and evaluation stage is an overall risk rating for each identified risk after an evaluation of current control effectiveness. An example of how this can be documented in a risk register is shown:
RISK IDENTIFICATION |
RISK ASSESSMENT |
Event |
Cause |
Consequence |
Likelihood |
Consequence |
Risk Rating |
Failure to meet compliance obligations |
Inadequate compliance training and/or poor compliance monitoring |
Increased costs due to fines for breaches and/or reputation damage |
UNLIKELY |
MAJOR |
TOLERABLE |
Loss of Practitioner |
Death or incapacity of Practitioner |
Failure of or diminution in value of the Practice |
POSSIBLE |
CATASTROPHIC |
VERY HIGH |
Failure to collect receivables in a timely manner |
Slow payment from debtors
Poor monitoring of outstanding debtors |
Poor cash flow
Outstanding debts uncollectable
Loss of revenue |
LIKELY |
MAJOR |
VERY HIGH |
For each risk, there should be only one overall residual risk rating, based on the effectiveness of the controls in place to address the risk.
Risk Management Framework