Every business is unique, with its own challenges, opportunities, and risks.
Whether it’s meeting internal control requirements, complying with ISO standards, or adhering to legal mandates, effective risk management is crucial for businesses.
Here, discover a five-step method successfully applied with our clients to identify and assess risks.
1/ Objective and scope of risk management
First and foremost, it is essential to define the “why” behind implementing risk management. This step is the most important as it will serve as the backbone of your risk treatment strategy.
The initial framework can be defined on three aspects:
- Geographical scope, i.e., the locations or sites included in the risk management
- The activities or processes involved
- The families of risks managed by the risk management
The families of risks vary depending on the objectives of your risk management (establishing internal control, obtaining ISO 27001 certification, etc.). Here are some examples of risk families:
- Financial: Risks that could cause financial loss to the company
- Financial Statements: Risks of inaccurate accounting information, anomalies in accounts
- Compliance: Risks that could make the company non-compliant with standards and laws (FINMA or ACPR requirements, ISO certifications, etc.)
- Operational: Risks preventing the company from achieving its objectives and mission
- Environmental: Risks causing damage to the environment
- Health and Safety: Risks that could affect the physical or psychological health of employees or people connected with the company
- Information Security: Risks related to the confidentiality, accessibility, and integrity of data
Similarly, it will not be necessary to address all families of risks or to give them the same importance depending on your sector of activity. Here are the risk families generally covered according to sectors:
- Construction: Environmental risks, occupational health and safety risks (OHS), etc.
- Insurance: Financial risks, information security risks, etc.
- Banking: Financial and financial statement related risks, compliance risks, etc.
2/ Risk identification
There are several methods to identify risks:
- Brainstorming: This involves organizing sessions with employees to identify the risks they face. This approach promotes the emergence of diverse ideas, but be careful not to overdo it!
- Processes: Risks generally arise from the activities or processes carried out within the company. Therefore, for each process, one must ask, “What are the risks associated with this activity or with the selected risk families?”
- Assets: This involves assessing the company’s assets and resources to identify risks that may affect them. Assets can be physical, financial, technological, or human. This approach is sometimes required, especially in the context of ISO 27001 certification.
In the first example below, we start from the “Invoicing” process where we have identified two risks. In the second example, we start from the informational asset “patient medical information” on which two risks have also been identified.
This identification phase can generate a multitude of risks and, although they are conceivable, it is recommended to stay as close to reality as possible. Thus, prioritize risks starting with situations already experienced in the company or by other market players.
3/ Identification and description of control measures
Control measures are implemented to reduce the likelihood of a risk occurring and/or its impact if it does occur. These measures can include automated controls, procedures, equipment, insurance, etc. Describing the control measures allows:
- To reduce errors
- To ensure that controls are carried out
- To clarify the responsibilities of employees
- To ensure business continuity in case of absence
4/ Risk assessment
Once the risks and control measures have been correctly identified, you can proceed to evaluate them. This evaluation will determine whether the control measures are sufficient and if they need to be strengthened. In some standards or laws, risk assessment is not mandatory. However, it offers advantages such as:
- Prioritizing risks in order to implement an action plan suited to critical risks
- Highlighting the importance of certain risks
- Ensuring a common understanding of the risks
It is common to see two types of risk evaluations: gross risk and net risk. To clarify this topic, read our article: “What is the difference between inherent risk and residual risk?”.
If we revisit our examples of risks, the inherent and residual evaluations differ. This perspective allows for prioritizing the actions to be implemented to limit the likelihood of occurrence and the impact of the risks.
5/ Risk Treatment
There are four strategies for dealing with risks: avoid, reduce, transfer, or accept. Let’s take the “risk of data disclosure” as an example:
- Avoid: Stop processing patient medical information. This solution is hardly feasible.
- Reduce: Conduct an annual data security audit by an expert company.
- Transfer: Take out cyber insurance.
- Accept: Do not prioritize this risk and maintain only the current control measures.
You now have all the keys in hand to implement effective and useful risk management for everyone. To ensure its effectiveness over time, it is recommended to reassess the risks each year and analyze the performance of the control measures. In case of shortcomings, you will be able to adjust them.
A risk management software like Optimiso Suite will greatly assist you daily: you will benefit from centralized risk management, automated risk monitoring, risk mapping, and a solution approved by auditors.
