By simply being in business, organisations are exposed to thousands of risks every day. From supply chain risk, vendor risk, reputational risk, and technology failures, to accidents & incidents, non-compliance, strategic risk, and external threats from competitors, hackers, and geopolitical circumstances, businesses have a lot to manage. To understand the risks they are facing, and be ready to react, organisations need to understand their risk landscape and closely monitor each risk so they can react quickly to mitigate problems and take advantage of opportunities.
To put risk into perspective, organisations must categorise the risks they face across every department and establish a common framework to rate and monitor them. Broadly speaking, risk can be broken down into five common categories: strategic, compliance, operational, financial, and reputational. Breaking down risk into core categories helps organisations to avoid any unpleasant surprises by establishing a systemic, structured, and consistent approach to identifying risk.
Once risks have been identified and categorised, businesses must establish priority-based risk detection and data-driven measurement of those risks to understand their likelihood and impact. This risk analysis will then provide businesses with the foundation to build a framework for making risk-informed decisions by identifying and assessing factors that could negatively impact the organisation or present opportunities.
This power to drive risk-informed decisions makes analysis a vital step in the risk management cycle. But how does a business set about detecting and measuring risk? Let’s explore ten key processes and methods that are commonly used to conduct risk analysis.
1. Risk registers
A risk register is essentially a library of possible risks and their potential likelihood and impact which allows stakeholders to track each identified risk and the relevant information linked to it. This process aims to collectively identify, analyse, and mitigate risks before they derail intended outcomes using a central point of oversight. By automating this process, each risk has an impact and probability score automatically calculated and is linked to the related assets and mitigating controls. This allows stakeholders to analyse risk at a granular level and roll it up enabling the organisation to explore the overall business impact.
Having been given careful consideration during the planning phase, the risk register is typically used during daily business operations as part of the wider risk management plan. While risk registers are often broken down into different categories, most templates share common elements that allow risks to be rated and compared:
- Risk description: A brief explanation of the risk.
- Risk breakdown structure: A chart that allows stakeholders to identify all the risks associated with a business function or project and categorise them.
- Risk categories: Risk are formally categorised to enhance the risk identification and prioritisation process.
- Risk analysis: This determines the probability and impact of a risk using quantitative and qualitative analysis.
- Risk probability: This provides an estimation of the likelihood of each risk occurring and assigns a qualitative or quantitative value.
- Risk priority: This is determined by assigning a score to each risk, which is obtained by multiplying the risk impact and probability values. When using qualitative measurements, risks with the highest impact and highest probability must be prioritised.
- Risk response: Each risk mitigation response is documented in a response plan.
- Risk ownership: Each risk must be assigned to a stakeholder who as the risk owner is responsible for deploying an appropriate response.
2. Near miss and incident reporting
The reactive nature of many risk management programmes leads to near misses and seemingly minor incidents slipping through the net, presenting organisations with an opaque view of safety performance and workplace risk. If reported effectively however, these events present opportunities to build the foundations of prevention – such as relevant training programmes that positively influence behaviour and operational changes that address any near misses.
Comprehensive near miss and incident reporting supports the four core elements of effective incident management: identification, response, remediation, and analysis. By integrating this process into GRC software for maximum agility, businesses are empowered to learn from previous mistakes or near misses and prevent them from reoccurring. This provides the structure needed to conduct thorough investigations, root cause analysis, and identify where risks are likely to happen.
3. Monitoring KRI’s
Near miss and incident reporting should also be used to inform another tool in the risk analysis process: Key Risk Indicators (KRIs). KRIs can be defined as: “critical predictors of unfavourable events that can adversely impact organisations. They monitor changes in the levels of risk exposure and contribute to the early warning signs that enable organisations to report risks, prevent crises and mitigate them in time.”
KRIs focus on the most critical indicators for managing the highest-level risks, which vary depending on a business’s objectives and priorities. They are used to measure risks that the business is exposed to and alert it when risk exposure exceeds tolerable levels. This underpins the process of monitoring and predicting potential high-risk areas and taking prompt action to prevent or mitigate their impact.
KRIs must be based on real-life transactional and operational business data – providing a single source of truth – and linked to the business’s strategic priorities. This empowers the business to identify the key risks related to each goal and establish KRIs that track them and alert stakeholders when the business is at risk of not achieving its goals or targets.
4. Risk assessments
Performing regular risk assessments on different business areas is a great way to identify potential risks. Qualitative and quantitative risk assessments offer different perspectives. By combining them, businesses can compare results and gain deeper insights, with the limitations of one type of data balanced by the strengths of the other.
- Qualitative risk assessments leverage knowledge, experience, and gut feelings to determine risk probability and how it will impact the business. Risks are typically identified by meetings, discussion forums, and market knowledge and measured on an established scale that estimates the probability, and they are usually categorised based on their source or impact.
- Quantitative risk assessments rely on objective, measurable data to provide insights into a business’s risk management process. This involves linking your risk management process to transactional and operational business data and deploying questionnaires, surveys, and risk assessments to accumulate data that can be tracked and monitored in real-time.
Qualitative assessments are typically less accurate because they don’t produce objective, numerical data to provide insights into a business’s risk management process. Instead, they rely on the opinions and judgements of those with knowledge of the business and the industry.
By using real business data to determine probability and numerical values to determine impact, quantitative risk assessments accurately reflect the threat landscape. This objective view allows businesses to predict future outcomes or estimate the likelihood of meeting targets.
Organisations that utilise GRC software to manage risk will have access to a variety of best-practice risk assessment templates and forms that can be rolled out across the business using automated workflows & alerts. This enables fast collection of risk data that can be used to determine the likelihood of risk.
5. Risk and strategy integration
There is often a disconnect between risk management and strategic planning within businesses. Consequently, risk management programmes typically lack the strategic foundations from which they can build organisational value by informing decision-making and ensuring resources are allocated to strategic risks.
To bridge this gap, proactive businesses anchor risk management into existing strategic planning processes. By aligning risk management with the organisation’s strategic goals & objectives, organisations can better understand inherent risks that will prevent them from achieving their strategy, and they can also take calculated risks on key initiatives that are likely to grow the business or support the corporate strategy.
Building an effective risk-informed strategic planning function is not a straightforward process. A holistic GRC software solution Is best used to automate this alignment by breaking down strategic goals and objectives into a series of programmes, projects, tasks, actions, and risks and allocating them across the business with clear ownership. This power to consolidate disparate processes, systems, and data sources into a single point of oversight ensures the business remains agile and resilient by pre-empting what could happen from a strategic risk perspective – good or bad.
6. Automated control monitoring
Risk management programmes can’t simply rely on risk management teams to manually interpret risk data and monitor KRIs. They should use automated control monitoring to detect Key Risk Indicators (KRI’s) in large data sets.
From an irregular transaction to the risk of non-compliance or an audit failure, automated control monitoring can detect risks based on predetermined rules and send alerts. Controls can be set to flag areas of concern, including missed deadlines, anomalies in data, budget overspend, too many incidents, or when KRIs reach intolerable levels. Automatic notifications can be sent to the relevant stakeholder so action and intervention can be taken expeditiously.
To ensure compliance & internal audit teams have the agility needed to achieve this, automated control monitoring is deployed. This extra layer of policing ensures robust internal monitoring of high-risk operational processes. Automation addresses risk proactively by replacing reliance on siloed manual data with a holistic approach that facilitates the detection of risk in large data sets and effective resource allocation. Meanwhile, organisations that adopt an ad hoc approach to monitoring create gaps in their control environment that can lead to costly issues.
7. Standard deviation
Standard deviation is a statistical tool used to measure and manage risk over a set period and inform decision-making as part of a risk management strategy. When applied in a business environment, standard deviation can be used to monitor risk over a certain time frame. For instance, you might be able to exceed your risk tolerance for 1 or 2 days per month, but anything over that could be deemed unacceptable to the business.
You can use standard deviation when you are setting up automated control monitoring to determine the exact rules around when a risk will be flagged as reaching your risk tolerance.
Standard deviation measures the degree to which individual data points vary from the mean or average of a set of data. When using it to inform decisions, risk managers often talk about the calculation being a certain number of standard deviations from the mean. Statisticians expect to find 68% of measurements within one standard deviation from the mean, which would represent a tolerable level of risk. Within two standard deviations from the mean, 95% of measurements will usually be found. Beyond this point, variations can potentially influence risk management strategies. Within three standard deviations from the mean, 99.7% of measurements will usually be found. Therefore, just 0.3% of measurements lying outside three standard deviations are due to normal fluctuations in the data, indicating a significant change has occurred. These kinds of calculations can be vital when comparing and measuring risk over time.
8. Bow tie analysis
Bow tie analysis can be used to support risk treatment planning by helping organisations to identify where new or enhanced controls may be required – where the risk level is high, or control effectiveness is assessed as low.
It shows pathways from the causes of an event or risk to its consequences in a clear qualitative diagram that’s represented as a bow tie, creating a differentiation between proactive and reactive risk management. The central knot is the point where the fault tree paths converge, and the event tree spans out, allowing the resulting analysis to focus on two things: the barriers or controls depicted by the fault tree to the left of the knot that can impact the likelihood of the event or risk, and those depicted by the event tree to the right that can change its consequences.
Bow tie analysis is typically used to identify control gaps by checking each pathway has effective controls; from cause to event and event to consequence. Factors that could cause them to fail are easily identified using this methodology.
9. Defining risk appetite
Businesses that don’t define their risk appetite expose themselves to the threat of absorbing too much risk and doing things that are detrimental to their survival. A risk appetite statement is defined as: “the articulation in written form of the aggregate level and types of risk that a business is willing to accept, or avoid, to achieve its objectives.”
The statement, which should be created in collaboration with the wider business, is used as a key communication tool to set the tone from board level and guide the behaviour of individual employees. Therefore, it must be articulated in transparent risk appetite language that engages the whole organisation and accompanied by a risk appetite framework that identifies and quantifies conscious risk-taking, aligning risks with the organisation’s objectives and strategy.
The risk appetite statement and framework will remain rudderless without clear channels of communication, making it almost impossible to operate within its boundaries. Adopting a robust approach to risk communication supports the flow of relevant information from the top-down, and the creation of a proactive risk culture from the bottom-up – empowering the right people to make the right decisions at the right time.
10. Setting KPIs
Proactive businesses don’t cross their fingers and hope they are keeping their risk exposure below the desired level, they use metrics to measure performance from a risk perspective – as renowned management consultant Peter Drucker famously said: “What gets measured gets done.”
The most commonly used metric for this purpose is key performance indicators (KPIs). These reactive indicators help a business to measure forthcoming results. Whether they are met or missed, KPIs provide a roadmap for progress toward an intended result by measuring historical performance. KPIs help to drive strategic and operational improvement, create an analytical basis for decision-making, and focus attention on what matters most.
Assessing risk using these quantifiable measurements involves setting targets (the desired level of performance) and tracking progress against that target. Examples of KPIs that can be used for risk management include:
- Identified risks
- Actual risks that occur
- Unidentified and unanticipated risks
- Frequency of risks
- Severity of risks
- Costs incurred due to risks
- Speed and effectiveness of solutions
Automating risk analysis
Risk measurement and detection has traditionally been hamstrung by a reliance on manual processes – such as emails and spreadsheets – and siloed data. These antiquated processes are clunky, time-consuming, and error-strewn, depriving businesses of quality risk-related information – fostering a reactive perspective. This lack of efficiency and connectivity prevents businesses from establishing a proactive, integrated approach to risk analysis that informs the entire organisation and its strategy.
That is why well established, risk aware organisations use purpose-built GRC solutions to facilitate their risk management programme. These solutions are packed with functionality including:
- Risk assessment templates
- A framework to build a best practice risk register
- API integrations enabling you to utilise live transactional and operational data as part of your risk management programme
- Automated control monitoring with workflows and notifications to alert staff
- Ability to set Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) with automated alerts
- Extensive dashboarding and reporting capabilities including bow tie analysis that can be used to make risk informed business decisions.
- Some solutions offer the ability to integrate risk management with strategic planning in one solution, enabling you to take calculated risks to work towards achieving your strategy whilst protecting the business from an undesirable level of risk.
GRC software facilitates joined-up, continuous risk analysis by delivering automated functionality that engages employees and encourages them to become responsible for the detection and measurement of risks related to their role. It supports an organisation to build a best-practice risk framework enabling them to mature their risk management programme as the business grows. It promotes a risk aware culture that involves all departments in the risk management process, arming risk management professionals with the insights and data they need to protect the business and take advantage of strategic opportunities.