Kindly contributed by Craig Evans, Head of Business Development at Graydon
Today a so-called ‘risk assessment’ was planned with a number of the organisation’s managers. The aim was to create a risk chart indicating the most significant risks for our company. We had allowed half an hour for this exercise, and after 20 minutes I had reached the conclusion that I had approached things all the wrong way. Everyone was talking at cross purposes and at the end of the ‘assessment’ I had a very colourful risk chart showing gross risks, net risks, causes, impacts and risk events all in a muddle. I left the session feeling rather disillusioned. Having spent the past 25years discussing ‘risk’, I had failed to allow sufficiently for the fact that everyone has a different perception of the term risk.
Definition of risk
A risk always consists of the three following components: the cause, the risk event and the impact. The cause is usually the most obvious: the reason why something threatens to go wrong. The risk event is the incident; in short what can go wrong in a particular place within a particular timespan. The impact is the (undesired) result.
Example: a cyber attack
- Risk event = cyber attack by criminals from outside the organisation.
- Cause = the prevention and detection measures put in place by the organisation are insufficient allowing a cyber criminal to be successful in entering the network.
- Impact = important data or financial resources are extracted from the company via the (digital) network or the company’s service provision is hampered by rendering the IT systems inaccessible for staff and/or customers.
This example immediately demonstrates that we should not manage the risk event itself, but instead the cause. If we take action to make it harder for cyber criminals to enter, or to detect such matters earlier, then the chances of cyber attacks being successful are reduced. Risk management is therefore about the cause of the risk event. It is the cause, rather than the risk itself, that needs to be dealt with in order to avoid the risk occurring. We refer to ‘risk management’ whereas in fact the term ‘cause management’ would be more appropriate. I must admit though that risk management does have a better ring to it.
Sorts of risks
There are different sorts of risks. As an auditor I naturally talk in terms of the ‘inherent risk’ while many managers think in terms of ‘net risks’. It is therefore very important to be clear up front on the type of risks under discussion. The gross risk or inherent risk is the risk without taking into consideration any control measures. With control measures in place the gross risk is reduced to a level considered acceptable by the management team. This is then the net risk, which still applies after all the measures that have been taken. The risk of say a cyber attack without any form of protection is very significant (gross risk). By applying ICT measures the risk is reduced (net risk).
- Gross risk – protection measures = net risk
Evaluation of the risk
What represents a significant risk for one person is negligible for another. That’s why it’s important to allocate a value to the risk. This allows everyone in the company to treat the risk at the same level. A value can be attributed by determining the chance of the risk occurring and the possible impact. This may sound simplistic, but how do you determine risk without the statistical support of real historic figures? Many organisations make an estimation of both values. The chance of the risk occurring is often indicated on a scale from 1 to 5, whereby 1 indicates no likelihood of the risk occurring in say the next 3 years. The 5 can for example indicate that the risk is expected to occur within 1 month. The organisation should decide themselves how to divide up this scale. Many good examples are available on the internet. The same applies to the impact of a risk. This is also often considered in terms of the same scale from 1 to 5, whereby 1 represents a negligible impact and 5 a serious threat to the continuity of the organisation.
Possibility of risk occurring x risk impact = risk value
There are other possible categories, besides the ones mentioned above. These can allow a division to be made between strategic and operational risks. Other divisions are conceivable. The most important aspect of risk management is that all participants in the ‘risk assessment’ process are told clearly beforehand of the definitions and divisions to be used and how the risks are to be evaluated. Only in this way is it possible to create a joint risk chart that everyone can relate to.
Graydon provides business intelligence solutions for Credit Management and Risk & Compliance. By combining data with business insights, Graydon helps companies to gain access to capital and to expand their knowledge in order to strengthen their competitive position. Graydon has offices in London, Amsterdam and Antwerp and uses a network of 130 international databases around the world with information of more than 90 million companies.