With understanding that Risk assessment provides a mechanism for identifying which risks represent opportunities and which represent potential pitfalls. Done right, a risk assessment gives organizations a clear view of variables to which they may be exposed, whether internal or external, retrospective or forward-looking. A good assessment is anchored in the organization’s defined risk appetite and tolerance, and provides a basis for determining risk responses. A robust risk assessment process, applied consistently throughout the organization, empowers management to better identify, evaluate, and exploit the right risks for their business, all while maintaining the appropriate controls to ensure effective and efficient operations and regulatory compliance.
For risk assessments to yield meaningful results, certain key principles must be considered. A risk assessment should begin and end with specific objectives that are anchored in key value drivers. These objectives provide the basis for measuring the impact and probability of risk ratings. Governance over the assessment process should be clearly established to foster a holistic approach and a portfolio view—one that best facilitates responses based on risk ratings and the organizations overall risk appetite and tolerance.
Regardless of the scope or mandate, risk assessments must bring together the right parties to identify events that could affect the organization’s ability to achieve its objectives, rate these risks, and determine adequate risk responses.
A robust risk assessment process forms the foundation for an effective enterprise risk management program. It constitutes a key component of the Enterprise Risk Management—Integrated Framework and related Application Guidance published by the Committee of Sponsoring Organizations in 2004 (COSO ERM). It is important to recognize the interrelationships between risk assessment and the other components of enterprise risk management (such as control activities and monitoring) and understand the principles and steps that help ensure the relevance and effectiveness of a risk assessment.
Finally, capturing leading indicators enhances the ability to anticipate possible risks and opportunities before they materialize. With these foundational principles in mind, the risk assessment process can be periodically refreshed to deliver the best possible insights.
Defining Risk Assessment
Risk assessment is a systematic process for identifying and evaluating events (i.e., possible risks and opportunities) that could affect the achievement of objectives, positively or negatively. Such events can be identified in the external environment (e.g., economic trends, regulatory landscape, and competition) and within an organization’s internal environment (e.g., people, process, and infrastructure).
When these events intersect with an organization’s objectives—or can be predicted to do so—they become risks. Risk is therefore defined as “the possibility that an event will occur and adversely affect the achievement of objectives.”
Purpose of the Risk Assessment
Risk assessment is intended to provide management of CDD with a view of events that could impact the achievement of objectives. It is best integrated into existing management processes and should be conducted using a top-down approach that is complemented by a bottom-up assessment process.
Applicability and implementation of Risk Assessment
Risk assessment shall therefore be conducted at various levels of the organization.
The objectives and events under consideration determine the scope of the risk assessment to be undertaken several times per year.
Strategic risk assessment:
Evaluation of risks relating to the organization’s mission and strategic objectives, performed by the senior management teams and board of CDD in strategic planning meetings.
Operational risk assessment:
Evaluation of the risk of loss (including risks to financial performance and condition) resulting from inadequate or failed internal processes, people, and systems, or from external events. Operational risk assessment shall be conducting by the financial manager, Chairperson and project managers.
Compliance risk assessment:
Evaluation of risk factors relative to the organization’s compliance obligations, considering laws and regulations, policies and procedures, ethics and conduct standards, and contracts, as well as strategic voluntary standards and best practices to which the organization has committed. Compliance risk assessment shall be conducted by the senior management teams and board of CDD.
Security risk assessment:
Evaluation of potential gaps in an organization’s physical assets and information protection and security. Security risk assessment shall be conducted by the Chairperson, office manager and regional coordinators of CDD.
Project risk assessment:
Evaluation of the risk factors associated with the delivery or implementation of a project, considering stakeholders, target groups, timelines, cost, and other key considerations. Project risk assessment shall be conducted by the senior management teams and board of CDD.
Conclusions
The principles of enterprise risk management require not only that CDD perform a risk assessment but that they implement a process to address potential risks, putting in place the necessary internal environment, information, and communications, establishing objectives, adequately implementing risk responses through control activities and monitoring how effectively objectives are achieved.
There for internal Risk Assessment Process shall be:
• Affected by the board, management and other personnel of CDD;
• Applied in strategy setting and across the organization;
• Designed to identify potential events that may affect the entity, then manage risk and keep it within the organization’s risk appetite;
• Provide reasonable assurance regarding the achievement of the entity’s objectives.
