Regardless of your organization’s size and complexity, performing a periodic enterprise risk assessment is critical for aiding key stakeholders (board, management, associates, etc.) to recognize the threats to the organization and assess their potential impact on the organization’s ability to achieve its objectives.
Enterprise Risk Assessments
The first step in performing an enterprise risk assessment is defining your organization’s universe (business functions, products, services, customers, etc.). Interviews of key management are a common method to inventory and evaluate risks such as financial, fraud, human capital, technology, and regulatory to name a few. Specific details of what could go wrong (risks being realized) are defined for each identified risk.
Having developed an understanding of the risks residing within the organization’s functional areas, the risks must be measured to determine the threat level they pose to the respective function(s) and the organization as a whole. This is what is called the risk impact (risk severity). It may be based on criteria such as potential financial loss or possibly the potential loss of life or limb (assessing impact does not need to be in dollars) depending on the risk being assessed. Another key component of assessing risk is the probability the risk will be realized (probability of occurrence). In addition to these two key components of measuring risk, impact and probability, organizations may also want to separately assess the velocity (speed at which the risk can occur ) as well as the frequency (how often the risk may occur over a pre-defined period of time) of the risk.
Consider the risk of a data breach from a phishing attack (fraudulent practice of sending emails purporting to be appear to be from a reputable known party when in fact they are from an illicit third party with the intent of circumvent an organization’s control practices). Phishing can lead to several adverse outcomes: financial loss (e.g., directing the unauthorized transfer of funds to an unknown third party), theft of data, unplanned costs to implement additional security practices, training employees to recognize the threat, etc. With respect to phishing, there is a high probability it is occurring in your network and that these emails are being received by your employees. The potential impact on your organization could be significant. Velocity of phishing attacks are high (speed of electronic transactions) and the frequency can be high as phishing attacks can occur continuously through a network.
Schneider Downs Risk Advisory Services Practice is here to help. In many organizations, execution of the assessment resides with risk management specialists. Our Risk Advisory Services practice is experienced in performing enterprise risk assessments. We can work with your organization to understand the risks that present the greatest threat to your organization and recommend leading practices for mitigating these risks. Contact us if you have questions and visit our Risk Advisory Services webpage to learn more about other services that we offer.