In today’s fast-paced business environment, coupled with significant regulatory, social and technological changes that have occurred the past few years, organizations are subject to myriad risks. As a result, it’s more important than ever to identify risks and develop a work plan to address and mitigate them.
Risk is defined as the possibility that events will occur and adversely affect the achievement of objectives. These objectives can fall into nine major categories:
Businesses are not created equally, hence, a risk assessment should encompass all operational areas, as well as recent regulatory changes, prior regulatory and internal audit issues, and risk appetite. An assessment provides a basis for compliance training and ethics programs and helps refine or develop risk mitigation and monitoring strategies. It also helps develop benchmarks for ongoing assessment and measuring effectiveness.
Step No. 1 in the risk assessment process is to establish a risk committee and appropriate risk governance. Who will lead the charge and how information will be reported must be determined. Typically, someone is assigned the responsibility of being the risk officer, reporting to an audit or management committee, which, in turn, may report to a board of directors.
Step No. 2 is to identify the organization’s risks and risk profile. The latter describes the consequences of risk occurrences, as well as triggers. Risks need to be evaluated to determine likelihood of occurrence and impact intensity, both financial and reputational. Next, the organization needs to understand existing mitigation controls and others that could be implemented. A contingency plan, should risks occur, and response to occurrences should be outlined.
The final step is to monitor and report. This process is critical as regular, periodic updates help maintain an acceptable level of risk and identify any risk creep. NJB
About the Author: Sherise D. Ritter, CPA, CGFM, CGMA, is managing director of The Mercadien Group, principal of Mercadien, P.C., CPAs and practice leader of its nonprofit services group.