Bringing value to your organization’s enterprise risk management (ERM) program is becoming increasingly more complex. Boards and senior management are demanding more data from their risk managers to effectively set their strategy and objectives to strike a balance between growth and return related to risk. Risk assessments play an instrumental role in helping leadership make strategic, risk-based decisions, and it is incumbent upon risk managers to deliver this valuable information in a timely, appropriate, and objective fashion to help steer the organization’s success.
Risk assessments are generally conducted in two specific ways: qualitative and quantitative. These two types of risk assessments can be conducted simultaneously or in a specific order depending on the organization’s needs. The “one-size-fits-all” approach normally doesn’t work for the majority of organizations.
So, what are successful organizations and their risk managers doing to accomplish this vital aspect of managing their business? For one, they are combining multiple risk assessment types to achieve a more accurate understanding of their threat levels.
Both qualitative and quantitative assessments have their pros and cons. Most organizations begin with qualitative assessments and develop quantitative as their decision-making needs require. By bringing together a linked view utilizing results from both assessment types, they are achieving levels of complexity and insight not previously attained.
The qualitative assessment is generally the first assessment used to determine risk impact associated to the organization’s risk categories (i.e., compliance, financial, operational & strategic) along with any subcategories deemed appropriate to their strategic objectives, initiatives, and business units.
This is usually accomplished via the use of descriptive scales such as “Low, Medium, and High.” While qualitative assessments may be less precise, they still offer valuable direction in preliminary identification of risk across an organization when utilized appropriately. The use of this assessment type will help guide you towards those areas of risk impact that require a deeper understanding by completing a quantitative assessment.
The quantitative assessment is generally performed on areas of risk marked for further analysis from the qualitative assessment process. By ascertaining the effect of identified risks on overall objectives, conducting a quantitative assessment certainly provides a deeper level of detail and understanding of impact. Keep in mind, though, that some risk types may not be quantifiable.
Quantitative assessments require numerical values for both impact and likelihood to the organization’s risk categories/subcategories to generally understand impact to assets and/or capital. Before deciding to conduct this type of assessment, organizations should carefully consider the time it will take and the resources and data required to accurately utilize the assessment.
However, when properly levied against the organization, the wealth of information quantitative assessments deliver to senior management and the board for risk decision-making can be substantial.
Again, both qualitative and quantitative assessments generally have inherent challenges related to the information and resource requirements for data and/or analytical models. So it only makes sense that if you want to maximize the accuracy of your risk and opportunity predictions, you should look to combine the two. This combination can come in the form of two separate assessments or the possibility of a hybrid approach that combines attributes from both types during the assessment process.
Regardless of how you choose to assess, achieving maximum value requires that your risk assessment methods are commensurate with the risk areas and business lines you are assessing within the organization. In some areas of your business, a qualitative assessment may suffice; in others, you may need to quantify your assessment as well.
In either case, once you have this compounded view across the organization, senior management can begin to determine with greater accuracy whether the organization’s overall risk is within its risk appetite and begin to create appropriate risk responses as required.
About the Author:
As Quantivate’s Vice President of ERM Services, William “Bill” Hord has over 29 years of experience in executive management within the financial services industry focused in risk management, business continuity, financial software, and lending & collections.