There is not any approach to assess risks that does not involve some level of judgment. It is done, for instance, to establish risk goals and tolerance levels, or to predict risk outcomes. This judgment needs to be done a changing business environment for most industries. Companies may or may not control change; however they need to control their response to change. In this post, I am sharing some comments to assess risks in rapidly a changing business environment.
There is some advice to assess risks for industries, companies or circumstances which involve a rapidly changing environment. The market never stands still (and it is hard to predict). Some example of business changes that impact risks are key staff movements, increased/decreased regulations, following different strategies, economy cycles, expiration of liabilities, changes in stakeholders´ needs and swifts in product lines. Changes can be either positive or negative to the original status.
In order to manage change, it is important to understand the key assumptions done when assessing risks. This assumptions need to be described in the assessment process. When a business change affects the stated assumptions, the related risks need to be reassessed by their owners. Business owners and staff involved with ERM need to be alert of the internal and external changes to update the risk assessments.
Including potential scenarios for assess the impact for all the risks can also help to deal with change. The risk assessment could include the most expected outcome, and also, the best and worst scenarios. At the end, risk assessments need to consider a full range of potential impact. Having different outcome scenarios helps to understand how volatile a risk is to change. Volatile risks should be monitored in with a different frequency.
Establishing and updating key risk indicators (KRI) can also detect the impact of changes across the company (especially for sensitive business issues). This monitoring function is important to maintain a live project risk database to envision change. All relevant risk factors (including those classified as remote) need to be scanned to detect change. Even more, a system of early warning indicators (EWIs) could get the managers´ attention to changes in the environment (and the effectiveness of the current risk management actions). KRI and EWI reporting are effective to improve the risk radar.
When setting an ERM for a company in a changing environment, the information channels need to be well oiled and fully operational. Also the staff responsible to assess risk at high-level need to determine how each reported change affects the entire company (risk interconnectedness or snowball effect). The process for risk prioritization and response will become dynamic and adaptive. The goal to use flexible tools and methodologies to assess risks is crucial when planning the ERM implementation in changing environments.
At the end, the process to detect new risks is the same process to capitalize emerging opportunities.
Get the latest in corporate governance, risk, and compliance on Twitter