As we work with organizations to help them to develop their Enterprise Risk Management programs, there is a common challenge we see in how people approach risk assessments, and that is distinguishing between risks and risk sources.
For anyone who has not studied risk assessment methods, this is extremely common and comes up in virtually every risk assessment we review. Understanding the difference between these two is important to building better risk assessments, and critical to creating effective and efficient internal controls.
Five questions to ask—and one more critical one
Whenever you perform a risk assessment, there are a series of questions that typically get asked:
1. What could go wrong?
2. How likely is this event?
3. What would be the impact of the event?
4. Is that outcome acceptable within our stated risk tolerance?
5. Is there something that we need to do to mitigate some of the risk?
But, there is actually a sixth question that is very often overlooked:
“What might lead to this event taking place?”
This is the risk source—those circumstances or actions that would set the stage for an unwanted event. Don’t confuse the event (what could go wrong) with the source of the event (the source).
Isolating the risk event from the risks
Generally speaking, for something to be considered a risk event, the following should be true:
1. It should be tied to a defined process, since virtually all risks represent a process failure of some sort.
2. You should be able to quantify the impact of the event.
3. It should generally reflect an unexpected outcome.
Anything that does not meet these criteria may very well be a risk source.
Let’s take one example to clarify this point. We often see clients indicate “lack of procedures” or “lack of training” as a risk. But both of these are extremely hard to quantify, because you simply don’t know what will happen as a result.
However, these are both excellent examples of risk sources, those conditions that create fertile ground to unwanted events (process failures) to take place. Instead, consider the following:
• Risk: Failure to properly authenticate customers, which could lead to fraudulent activity, a negative customer experience, reputation issues and regulatory scrutiny, including fines and sanctions.
• Risk Source: Lack of proper training, lack of sufficient policies, and lack of procedures and employee error.
Why is making this distinction so important?
First, by more clearly defining the risk, we can be more precise in estimating the impact and determining the proper level of controls needed in order to mitigate the risk to within an acceptable tolerance.
The second reason: While we use the risk itself (the process failure) to estimate and assess the impact, we use the risk sources to design the controls. Controls are built in response to risk sources, whereas impact statements are built off the event itself.
So in the example above, we can analyze the risk to fully understand its potential impact, and then make a determination about the right level of controls. Then, we use the information about the sources to decide how to build the appropriate controls. So, for instance, we make sure that a policy and appropriate procedures exist and are maintained, and employees receive the appropriate level of training.
Now note the last risk source, employee error. Here is an example where you can’t create a control: People will make mistakes.
What you can do is ask yourself, if an employee did make a mistake, is the risk still so great that the impact would be unacceptable? (Again, we are trying to align with our risk appetite.)
If the potential remaining risk due to an employee error is so great as to be beyond acceptable tolerance levels, then a secondary level of controls is needed, but only based on our assessment of the basic risk (process failure).
Eight common risk sources to watch for
To aid you in this approach, following are some very common risk sources to consider:
• Employee error
• Lack of policies and procedures
• Lack of sufficient training
• Inexperience or unqualified staff
• A changing environment (products, policies, reporting lines, etc.)
• Lack of clear lines of authority
• Lack of dual controls
• Malicious intent, either internally or externally.
Each of these can be closely tied to an internal control, but would be very hard to quantify if considered as a stand-alone risk.
Adding this simple thought process to risk assessments adds very little time to the exercise. But by encouraging people to think about risk in these two dimensions exponentially increases the value of the information, because it not only allows you to focus on real risks that can be quantified, it gives you much more information to use when thinking about creating the right level of controls.
About Eric Holmquist
Holmquist is managing director, Enterprise Risk Management, at Accume Partners. Holmquist has over 30 years of experience in the banking industry, including operations, finance, treasury, IT, information security, and risk management. As head of Accume’s ERM practice he helps clients implement an ERM framework designed to align all risk with acceptable risk appetite and tolerance.