Managing Risk

How to Manage Risk

Learn the steps to create and maintain a risk assessment plan.

In today’s fast-paced business environment, coupled with significant regulatory, social and technological changes that have occurred the past few years, organizations are subject to myriad risks. As a result, it’s more important than ever to identify risks and develop a work plan to address and mitigate them.

Risk is defined as the possibility that events will occur and adversely affect the achievement of objectives. These objectives can fall into nine major categories:

  • Strategic – succession planning, expansion beyond expertise, reliance on single revenue stream;
  • Operational – client service deficiency, insurance coverage adequacy, disaster recover/business continuity;
  • Finance – debt covenant compliance, fraud;
  • Human Capital – key employee flight, inadequate training, employee access and rights;
  • Social Media – accounts and activity (LinkedIn, Twitter, FaceBook)
  • Information Technology – smart phone security, network vulnerability;
  • Legal and Compliance – industry, federal and state regulatory compliance, payroll, Affordable Care Act;
  • External – economy; and
  • Reputational – all of the above.

Businesses are not created equally, hence, a risk assessment should encompass all operational areas, as well as recent regulatory changes, prior regulatory and internal audit issues, and risk appetite. An assessment provides a basis for compliance training and ethics programs and helps refine or develop risk mitigation and monitoring strategies. It also helps develop benchmarks for ongoing assessment and measuring effectiveness.

Step No. 1 in the risk assessment process is to establish a risk committee and appropriate risk governance. Who will lead the charge and how information will be reported must be determined. Typically, someone is assigned the responsibility of being the risk officer, reporting to an audit or management committee, which, in turn, may report to a board of directors.

Step No. 2 is to identify the organization’s risks and risk profile. The latter describes the consequences of risk occurrences, as well as triggers. Risks need to be evaluated to determine likelihood of occurrence and impact intensity, both financial and reputational. Next, the organization needs to understand existing mitigation controls and others that could be implemented. A contingency plan, should risks occur, and response to occurrences should be outlined.

The final step is to monitor and report. This process is critical as regular, periodic updates help maintain an acceptable level of risk and identify any risk creep. NJB

About the Author: Sherise D. Ritter, CPA, CGFM, CGMA, is managing director of The Mercadien Group, principal of Mercadien, P.C., CPAs and practice leader of its nonprofit services group. 


Related Articles: