My last two posts have dealt with understanding risk and the application of the ERM Framework developed by COSO. Today we’re going to discuss a variety of risks and the process of identifying them. When teaching these concepts to my students I always mention that they can be applied to everyday life and not just business. Managing risk impacts everything we do.
Risk can occur from both internal and external events so the process of event identification is important. Let’s first deal with internal events. Internal events are those that occur within the entity. These include events related to infrastructure, personnel, process, and technology.
Infrastructure issues can include items such as overtime, maintenance, or equipment downtime. Personnel matters could include workplace incidents, fraud, labor agreements, or significant turnover or work stoppages. Events associated with process modification without appropriate change management practices can result in process errors, delivery disruptions, customer dissatisfaction, and the loss of business. Technology related events can include issues dealing with security, systems downtime, and fraudulent transactions.
External events can be associated with a number of different areas. These influencing factors can range from economic, natural environment, political, social, and technological. Economic considerations might include the availability of capital, competition, or introduction of substitute products and services. Natural environment factors can be varied from flood, fire, earthquake, or other factors that could impact and impede the ability to conduct business.
Political events, especially with a global economy, can result in creating opportunities in addition to creating potentially adverse business risks. Social trends also produce a variety of opportunities and threats. Technology produces an entire host of issues ranging from electronic commerce, changes to infrastructure, and increased demand for technology related products.
Once you have identified the range of risk related events you are then in position to develop an analysis of the cost versus the benefits of alternative risk responses. It is pretty easy to deal with the cost side of the equation associated with direct costs. The difficult part is developing a way to measure the indirect costs. Activity Based Costing is an option that should be considered. In addition to just looking at the negative side of risk it is essential to carefully consider the opportunity costs and resources available to take advantage of new possibilities.
How do we track and identify events that have the possibility of risk? Some organizations utilize loss event tracking techniques. These start with a focus on common historical events using internal staff perceptions. More advance techniques will utilize factual sources of observable events and feed data into projection models. Some other techniques include facilitated workshops and interviews together with process flow analysis. Data monitoring techniques will gather data to track leading event indicators to identify possible conditions that could give rise to a potential event. Loss event data methodologies using past individual loss events represent another technique. There are a variety of event identification tools that are in use.
Some examples of event categories really help to provide clarity to the process of identifying risks. The following list is only a sample:
a) Access to capital
b) Supplier effectiveness
c) Process efficiency
d) Process effectiveness
f) Asset management
g) Inability to meet customer demand
h) Intellectual property
i) Leadership – getting the right people on the bus and in the right seats
k) Systems and IT
l) Concentration of either customers, products, geographies
n) Interdependencies between business units
q) Government regulations
r) Employee capabilities including the loss of key skills
s) Confidentiality of data
This provides some overview on the issues of managing risk. In my opinion more organizations should be integrating the ERM Framework into their operating functions. It should become a normal way of doing business and making decisions. We are seeing evidence where boards of directors are placing increased emphasis and focus on risk management. It is an uncertain environment in which we live and operate so risk management should be one of highest priorities. We can choose to either manage risk or let risk manage us. I like the first option.