Risk Assessment Considerations to Protect Your Business

An understanding of the risks faced by your business can either make or break it, but not many persons place importance on this activity.

How will you know the threats faced and the controls that should be implemented to minimize the negative impact?

Simple. Conduct a risk assessment.

As the name suggests, a risk assessment is an analysis of all the possible risks that your business faces and the corresponding ranking of same to determine where you should focus your resources.

I must admit that this can be a time-consuming task, no matter the size of your company.

However, rest assured that this assessment could possibly be one of the most important tasks undertaken.

So, disclaimer, this is not a “how-to” post.

Instead, this post will provide a list of things you should consider when analyzing the risks you can encounter.

1. Fraud Events

Were there any known fraudulent events that occurred during the past year?

Are you able to determine the financial or reputational impact?

Was there financial loss material enough to warrant further review?

Was there reputational damage?

These are just a few questions you should ask yourself.

Now, don’t limit this assessment to your business alone! You should consider other companies in your industry or others with similar processes as yours. Did they experience fraudulent events as well?

Note that the business does not have to be the same as yours. As long as the company has a similar process, then fraudulent events that occured should be considered.

After all, it could very well happen to you too!

For example, a medical office and a clothing store might both have accounts receivables as a process, though they are not in the same industry.

If there was a known fraudulent activity at the clothing store concerning accounts receivable, then the medical office’s manager should consider whether a similar activity could occur in his/her business.

This principle applies to companies, both big and small.

2. Past Audit Findings

For companies that have been audited, you should look at the prior findings related to the business process being assessed.

It is recommended that you look at findings for the past 3 years.

What control weaknesses were identified?

Also, look at the corresponding follow up reports to see if the deficiencies identified were remedied.

The perceived risk will depend on the type of report that was issued and the subsequent control improvements made.

3. Financial Impact

What is the financial value of the process, if it can be determined?

For example, you can determine your accounts receivable balance by looking at your general ledger.

Now, compare this to the overall value of the business. Does this process account for a significant portion of the company’s value?

If so, this could be a critical process that might need to be monitored.

4. New Products/Services

If you went through the typical process, then market research would have been done prior to launching the new product or service.

However, this does not guarantee that the offering will be successful.

There could be unexpected changes such as economic turmoil, increased competition, and so forth that could alter the market demand for your product or service.

This is usually considered to be a risky area because, since the offering is new, management might not be able to accurately determine the overall impact a possible failure will have on the business.

5. Change in IT System/Platform

Management could decide to change the information system used. This could be due to various reasons such as cost concerns, significant change in staff complement (increase or decrease), features, etc.

In this case, employees will need to be trained on how to use the new system. It will be expected that there could be mistakes made leading to errors in data.

This is also an opportunity for employees to commit fraud.

6. Change in Senior Management

A change in senior management could result in a change in the company’s culture, procedures, risk appetite, etc.

Furthermore, it could take a while for employees to adjust to the change and could lead to confusion if expectations have suddenly shifted.

7. Risk Appetite

Overall, risk appetite will determine the level of controls and reviews that will be undertaken.

Risk appetite speaks to one’s willingness to withstand risk in order to achieve value for the company.

The lower one's risk appetite, the more controls that should be expected as well as higher frequency and scope of reviews.

The considerations above should be applied to EACH process identified.

Keep these in mind the next time you assess your risks and you could be one step ahead of the competition.