Do you employ a risk and control inventory?
No matter where you get your business news, it seems like a day never goes by without a story about a large reputable organization in hot water for a failure of management to recognize and manage a risk.
However, the news is also full of favorable press for executives and businesses navigating tricky waters and thriving despite risks.
In order to understand risk, let’s start with the dictionary definition. Risk is the “possibility of suffering harm or loss; danger”; i.e., loss of financial wealth, emotional well-being, social status, and/or physical health, etc. We take risks in order to gain a reward resulting from a given action or inaction, foreseen or unforeseen. The biggest problem with risk is that too many businesses fail to thoroughly understand and manage it, but in order to manage risk, you need to be able to measure and understand your organization’s tolerance for risk.
Then, how do we measure risk and how do we minimize risk? How do we weigh our options as we assess risks? What is our risk appetite?
How to Make an Educated, Real Time Decision About Risk
Executives must make decisions every day, often under tremendous pressure to deliver an answer in a split second. How do you know that you are making the right decisions?
The key to making educated risk decisions in the spur of the moment is to develop a thorough understanding of the risks that your business faces and its tolerance for risk ahead of time. Armed with this knowledge, you can proactively manage existing risks and identify and respond to new risks as they arise.
Being risk-focused means having your ducks in a row. Some items to consider:
- Understand the risks within your industry, i.e. operational, environmental, regulatory, and technical, etc.
- Have an idea what your competitors are doing regarding risks and their reactions to them.
- Do you have a risk and control inventory?
- What is your organizational risk culture and what risk programs do you presently have in place?
10 Steps for Creating a Risk and Control Inventory
One way to understand the risks that affect your business or department is to create and maintain process flows and narratives that identify relevant risks and their controls. This is a very simple exercise, but many businesses never take the time to do it.
Follow these steps to create a risk and control inventory:
- Challenge your team to stop and think about the processes within their specific area.
- Identify processes that generate inputs to your workflow. (What must happen before we can start our work?)
- Identify where your process outputs go. (What steps happen once your work is done?)
- Inventory each process within your area that modifies the input you receive in order to create the output you deliver. Document these processes in writing.
- Plot each process from beginning to end. (Sometimes you might have to think about the actual processes by breaking them down to several pieces. You can go as high-level or as detailed as you wish).
- Once you understand each of the process steps, identify the risks associated with For every step, list each of the possible things that could go wrong.
- Then identify the corresponding controls designed to address those risks.
- Number your risks and controls for easy reference. Make sure that each risk has at least one corresponding control. If one doesn’t exist now, the creation of a new control could be one of the first to-dos coming out of the process. (An added dividend of this process is you may identify repetitive or non-value-added steps that can be eliminated to streamline the flow.)
- Create a process flow narrative. It shouldn’t merely repeat the process steps. The narrative should add value to the process by identifying associated risks and controls at each step.
- Refer to these risks and controls going forward by their assigned reference numbers. Documentation should be clear and precise, including just enough detail that the reader understands the risks in play.
The flow charting process may take several tries. Confer with process owners to determine how detailed you need to make the chart in order to help everyone understand their roles in identifying and controlling risks. Don’t get discouraged if you cannot get the processes down the first time. Once completed, it will help you to see where exactly the risks and controls lie. Once identified, then the next step is how to use this information in order to mitigate these risks.
Connect with a Freed Maxick Risk Management Expert
If you would like to learn more about how to document risks within your organization, contact one of our Freed Maxick risk professionals here, or call us at 716.847.2651 to discuss the risk services that we offer. Our risk professionals currently work with clients from multiple industry sectors.
We will work with you and your organization to complete an assessment that will identify risks, make recommendations for improving your current processes and controls, and advise you on risk management best practices. We look forward to working with you.