All companies, regardless of their size and the industries in which they operate, are facing greater challenges with respect to identifying and managing the internal and environmental risks that are related to their day-to-day activities. While larger companies are particularly focused on the risks associated with corporate governance issues, founders and executives everywhere should be concerned about the potential adverse impact of natural disasters, litigation or government investigations, physical infrastructure and facilities risks, terrorist attacks, unforeseen changes in customer requirements, the entry of new competitors or introduction of new technologies, credit and market risks, breakdowns in internal controls, and security breaches that can lead to financial losses and reputational damage. All this means that companies must integrate risk management into their overall strategic business planning effort to reduce and manage uncertainties in the environment in which they operate. In order to do this, companies must embrace risk assessment processes that allow them to benchmark, or compare, the risk areas and compliance activities of their company against firms of similar size engaged in comparable operational and business activities. The output of these processes then becomes the basis for designing effective compliance programs and setting operational priorities for everyone in the workplace.
The International Center for Growth-Oriented Entrepreneurship has just released a chapter from its Library of Compliance Resources on Conducting Risk Assessments which is available for free downloading and sharing by clicking here. Some important things you need to know about the risk management and risk assessments including the following:
1. The risks that are the greatest concerns for corporate executives include corporate governance issues, which not only expose companies to the costs of actual liability for violation of corporate governance laws and regulations but also force them to invest substantial amounts in compliance programs; natural disasters (e.g., hurricanes, flooding and earthquakes) in countries where companies have substantial assets and/or are engaged in a high volume of business activities; higher levels of litigation that can result not only in liability for claims made against a company but also in substantial additional expenses to defend against the lawsuits even if the company is ultimately found not to be liable; physical infrastructure and facilities risks, including the rising costs of maintaining aging facilities and the potential damage to products, property and humans that may occur as the company operates over public roads and railways; governmental regulation that carries higher costs of compliance which will ultimately cause companies to raise the prices of their products and services and risk loss of market share to competitors; terrorist attacks, unforeseen changes in customer requirements and the entry of new competitors or introduction of new technologies; and cyber-attacks that disable a company’s communications infrastructure and expose companies to potential liability for theft of personal information that has been entrusted to them for safekeeping.
2. Management should be prepared to increase the company’s control mechanisms whenever there are changes in the organization’s regulatory or operating environment; changes in personnel; new or revamped information systems; rapid growth of the organization; changes in technology affecting production processes or information systems; new business models, products or activities; corporate restructurings; expansion or acquisition of foreign operations; and/or adoption of new accounting principles or changing accounting principles.
3. Risk assessment is primarily concerned with what are generally referred to as operational risks (also sometimes called transaction risks), which are risks of loss or injury to the company from inadequacies or failures relating to processes, systems or people (e.g., fraud or error). Operational risks can arise from internal and external factors and can be found in every major business activity of the company. Operational risks may be broken down into various categories such as credit and market risks, reputation risks, strategic risks and compliance risks. Credit and market risks include an unforeseen adverse decline in the liquidity of a key customer that must be addressed by changes in underwriting policies and collection systems to avoid significant losses and higher costs of servicing that customer. Reputation risks include the possibility of security breaches that result in the loss of confidential information and the loss of confidence of customers and other business partners. Strategic risk increases when the company fails to invest in the resources necessary for collection and analysis of all of the information needed to make proper and informed decision about major new investments. Compliance risks include failure to comply with legal and regulatory requirements applicable to the company’s products and services which leave to civil and/or criminal penalties.
4. The activities associated with an effective risk assessment process include identifying the risks that are most relevant to the company and developing a short description of the key characteristics of each risk so that it can be analyzed and strategies created for mitigating or eliminating them; defining the company’s “risk appetite” to determine which types of identified risks are most problematic for the company and thus are appropriate targets for mitigation activities; risk mitigation, which involves developing compliance programs and internal controls designed to reduce risks to levels consistent with the company’s risk appetite; and establishing benchmarks for measuring the effectiveness of the company’s risk mitigation efforts and procedures for continuous risk assessment to identify and manage new risks that may arise as the activities of the company and its external environment changes. The scope of the process, and required investment, depend on the size of the company and its stage of development and available resources, and companies must decide on the level of sophistication of risk management procedures, how much of the process should be outsourced and the appropriate internal management structure for the risk management activities.
5. Recognized general guidelines for conducting effective risk assessments include covering all major areas of potential misconduct; examining risk in the context of the company’s resources; using industry information and company history; including managers and employees from all organizational levels; analyzing both the impact and likelihood of the occurrence of a risk; quantifying each risk area; documenting the outcome of the risk assessment process; conducting the risk assessment in a defensibly objective manner and on a regular basis; and benchmarking the company’s compliance programs.