Don’t be Vulnerable - Properly Assess the Risks in Your Business
In my recent article, “Balancing Act: Do You Have Too Many Controls, or Too Few?”I summarized the COSO framework for managing risk. In this article, I dig deeper into the assessment side of managing risk.
How well does your management team know the risks imbedded in your business? Understanding risk in your organization is instrumental in protecting and successfully growing your company.
By practicing sound risk management, you will identify and manage risks that could jeopardize your company’s earning capacity and assets. The process begins with a risk assessment.
Use the following objectives to develop your risk assessment process:
1. Identify your companies risk management goals, for example;
- Stakeholder Protection
- Physical Property Protection
- Intellectual Property Protection
- Profit Margin Protection
- Other Goals
2. Determine the best method of risk management to meet the goals;
- Cultural (behavioral)
- Procedural (internal controls)
- Through an outside third party (e.g. Insurance company)
- Organizational (conflict prevention)
- Surveillance (security)
3. Assess the potential for fraud risk;
- Access to assets (tangible and intangible)
- Authority to buy, sell, dispose of or move assets
- Security that safeguards assets
4. Identify and analyze the impact of significant change.
- What are the new risks created by the change
- Apply points 2 and 3 above to the new risks
Click on this simple Risk Management Assessment worksheet to get help preparing you for the discussions you should be having with your Board, Executive team and Finance team regarding Risk Management.
Types of Risk
It’s critical to consider every aspect of your business when identifying risks. Some may be common while others may be unique to your operation. For example, a company with expensive inventory will need strong controls in place to protect that inventory. A company with a large investment in research and development will need strong patent and non-disclosure protection.
Types of risk can include financial, human, intellectual, legal, physical and technological issues. It is also important to assess risks such as natural disasters or fires, and those linked to product development or economic forecasting.
Identifying a risk should lead to determining the probability of occurrence and the potential financial damage that could result from a failure or other adverse occurrence. Once the risks are identified and analyzed, you will need to establish the controls.
Controls are put in place to mitigate or manage the risk. Depending upon the nature of the risk, the control may take forms such as insurance, business practices, in-house policies or even physical barriers.
Because every business is different, the type of control you choose to implement will vary. For example, the Department of Defense will have very stringent rules and regulations on the security protocol of its contractors; a manufacturer working with a customer to develop a product will limit access to its technology with patents.
Below are examples of controls to mitigate the risks highlighted above:
1. Financial - Preparing a business plan and evaluating your expertise, the industry or the market to determine what undertakings are financially viable.
2. Human – In addition to maintaining a safe work environment to protect employees, companies can protect their human capital through training, effective goal setting and evaluation systems. Compensation structures will help by retaining the employees best suited to help the company thrive and grow.
3. Legal – Ensuring compliance with properly negotiated agreements such as employment contracts, franchise requirements or leases.
4. Physical – Having adequate insurance to cover damage and downtime from events such as spills, floods and explosions are common; today, that has expanded to such acts as terrorism and data breaches or viruses.
5. Intellectual – Knowledge and innovations of the mind can be protected through copyrights, design rights, patents, trademarks or protected trade secrets
A crucial aspect in the process of conducting a risk assessment, making decisions and implementing appropriate controls is timing. Not all risks can be prevented or controlled, and some may even be too costly to mitigate. However, being proactive by identifying the key risks and putting a general business recovery plan in place will reduce the chance of an unforeseen risk destroying your company.
Not a member-scholar yet? Join our financial community here!
Identify your path to CFO success by taking our CFO Readiness Assessmentᵀᴹ.
For the most up to date and relevant accounting, finance, treasury and leadership headlines all in one place subscribe to The Balanced Digest.