Most organisations use financial criteria and thresholds as part of their risk assessment process, but what about the non-financial categories?
A risk leader in our network wanted to understand what non-financial impact categories their peers use as part of their risk assessment criteria, and how they have embedded their approach to risk assessments in their business.
Through our bespoke assistance service, we produced a bespoke benchmark report, incorporating insights from global risk leaders across a range of sectors. In this article, we share some highlights of the report for non-members.
- All companies include legal and compliance as a risk assessment category, alongside financial impact.
- All but one of the companies we surveyed include reputational impact.
- By contrast, just a third of organisations include strategic impact, indicating that the focus of risk assessments may be relatively short-term at most companies.
Many companies are still on the journey to embedding an understanding of risk matrices and assessments in the business. A key part of this challenge is engaging risk owners and getting their support for a particular risk assessment methodology. Here are 5 steps companies have taken to boost engagement with, and gain buy-in from, risk owners, as shared in our latest pulse-check report:
Focus on understanding the specific context of each risk owner and starting from their current level of engagement. If direct meetings are a challenge to schedule, either request that risk is added to the leadership team’s agenda (a top-down approach), or collaborate with the subject matter experts (SMEs) reporting to that risk owner to spark discussion (a bottom-up approach).
Focused on embedding risk management more deeply into the company’s corporate structure. One company has created 2 senior roles specifically accountable for risk oversight and direction of business unit risk activities. The goal is to elevate the importance of risk management and drive engagement with risk owners at the senior leadership level.
Run workshops across the business for material risks. These sessions are not just about re-rating risks; they provide an opportunity to challenge existing risk capture and assessment methods, fostering active participation and ownership. You could also supplement workshops with 1-to-1 induction sessions for risk owners themselves, ensuring that they engage with the risk assessment process from the very beginning.
For business areas and operational teams with particularly low levels of engagement, try engaging internal audit to help perform a maturity assessment. This can bring issues, like a lack of engagement with risk assessment processes to light and highlight the need for improvement, creating an impetus for change.
One risk leader explained how a business unit approached their team for assistance with an IT-related system issue.
The risk team responded by developing a presentation pack, which laid out 3 proposals with a risk matrix underneath, clearly spelling out risk consequences and likelihood in each scenario:
- Do nothing, business as usual;
- A tactical solution;
- A strategic solution.
This empowered the business unit team to make an informed decision based on clearly defined risk implications, as well as facilitating more confident use of the risk matrix in the future.
Is the standard 5x5 risk matrix an antiquated tool, or a powerful conduit for risk appetite and an enabler of future growth aspirations? This is a question risk leaders are discussing right now. Within the network, we’re facilitating collaborations on topics like risk assessment and analysis, giving members an opportunity to compare approaches, validate strategies and gain an insight into other practitioners’ risk assessment methodologies.
To find out more about getting involved in upcoming collaborations with experienced peers, request an exploratory call, or explore membership here.
Share this
Key considerations for enhanced risk reporting
How has risk appetite evolved in the past 3 years?
