What is a Risk Assessment

By Claire Pahlmeyer, Senior Associate

Risk assessments identify and analyze the risks affecting an organization’s ability to achieve its objectives. Whether your organization is looking to improve efficiency, identify risk gaps, or trying to implement an internal audit program, an organizational risk assessment is a great starting point. Organizational risk assessments can help you decide which areas to focus on first and what types and amounts of resources to allocate. The concept of conducting an organizational risk assessment may seem daunting at first, but can be summarized into two primary tasks: risk identification and risk analysis.

Risk Identification

Risks are identified through interviews, surveys, and other sources, as deemed applicable. Input from employees through management is key to ensuring all types of risks are exposed and various levels of staff often have different perspectives on the organization’s operations. Interviews (ideally performed by a third-party) provide a platform to dive deep into the perspective of a few individuals while surveys allow a wide array of individuals to share their thoughts on a few select issues. Other sources of risk identification include previous internal audits and risk assessments, external audits, and advisory reports.

Risk Analysis

Each risk is analyzed for its respective impact, likelihood, and velocity.

1. Impact is the extent of the consequences a risk could have on an organization, ranging from minor to extreme. Impact is evaluated not just by financial impact, but also by other areas like operations, compliance, safety, and reputation.
2. Likelihood is the chance that a particular risk impact could occur within the organization, ranging from rare to almost certain. Likelihood considers the type of risk and also the controls that are in place to mitigate it.
3. Velocity is the speed at which a risk can occur, ranging from slow to fast. In essence, it considers how long the organization will have to respond if the risk in question occurs.

For example, the risk of physical facility damage due to a natural disaster could be a significant impact with high velocity, but a rare likelihood dependent on regional climate conditions.

The results of a risk assessment inform an organization’s internal audit plan for the upcoming year, and help decision makers, such as management or the Board of Directors, determine where to allocate resources. Once risks are identified and analyzed, the key risks to the organization become clear and can be prioritized. It is important to note that the less ‘risky’ risks should still be represented in the analysis as well. A risk assessment and audit plan that focuses only on the highest risks each year neglects the small but potentially pervasive issues in less risky areas that could develop into larger issues if left unchecked.

Risk assessments in an organization with a strong internal audit function should be performed annually and can be updated throughout the year. In addition, each internal audit should have an engagement risk assessment to ensure the audit scope covers the most relevant areas. Organizations with less mature internal audit functions should still update their risk assessments annually but may not need as robust a process as organizations with more mature internal audit functions.

If you think a risk assessment would be beneficial for your organization, please contact Kernutt Stokes to discuss which options will best benefit your business.