The corporate scandals of Enron, WorldCom, and Tyco in the early 2000s have forever changed how management and investors view risk management programs. Circumventing controls and exposing a business to increased risk is a recipe for disaster that could result in reputational damage.
Despite management’s good faith efforts to implement comprehensive risk assessments and mitigation programs, the percentage of successful implementations remains relatively low. Gladly, there are some clear indicators that your risk assessment may be falling short.
Five Pitfalls That Contribute to an Ineffective Business Risk Assessment
Believing a risk assessment is a one-time task
Risk assessments often result in a substantial amount of documentation that is filed away once completed. However, if the risk management process is not incorporated into daily business processes, it becomes a “check-the-box” exercise and the benefits are never realized. To be effective, it needs to be refreshed as the business changes and should be continuously updated.
Being too generic with risk
When performing risk assessments, companies tend to identify generic risks. For example, they may conclude that there is a “risk or fraud,” which is too generic. Instead, potential fraud scenarios should be identified, including who the likely perpetrators are, how they could conceal the fraud, and how the potential fraud could be prevented.
Inability to detect risk throughout the whole business
Many companies utilize a top down approach, which is great for identifying strategic risks. Others prefer a bottoms up approach, which is better for identifying operational risks. However, each one provides only a partial view. Having the perspectives of both executive management and operational staff is necessary for developing a holistic view of the organization’s risk exposures and ways to mitigate them.
When issues are identified, remediation efforts often address the symptom but fail to treat the root cause of the problem. As a result, the root cause goes unresolved and the risk of further issues remains high.
Lack of accountability and buy-in
Risk assessments are often done by someone independent of the business process, such as the Compliance person, and sometimes without getting buy-in or feedback from the business area. This can result in incorrect assumptions being used, which in turn leads to poor process documentation and incorrect controls.
Assemble a Dream Team for Risk Assessment
A best practice would be to have three components to your businesses risk assessment:
- A Risk Officer who will champion and oversee the risk management program.
- The selected employee(s) in the Compliance and/or Legal Department who will work with the business units.
- The Risk Committee comprises top executives from the functional areas, and is typically chaired by the Risk Officer. The Risk Committee is responsible for supporting the Risk Officer in overseeing the program. Such involvement fosters their buy-in to the program.
Being aware of potential pitfalls is the first step toward effective mitigation. If you would like to learn more about how we can help improve your business’s risk assessment process, please get in touch with us. In the meantime, visit our Risk Assurance or Internal Audit pages to see what services we offer to keep your company safe.