Enterprise risk management is becoming increasingly more complex as we attempt to set strategy and objectives to strike a balance between growth and return related to risk. Boards and senior management are demanding more data from their risk managers to effectively set their strategy and objectives. It is incumbent upon us to deliver this valuable information in a timely, appropriate, and objective fashion to help steer the organization’s success.
Risk assessments are generally conducted in two specific ways: qualitative and quantitative. These two types of risk assessments can be conducted simultaneously or in a specific order depending on the organization’s needs. The “one-size-fits-all” approach normally doesn’t work for the majority of organizations.
So what are successful organizations and their risk managers doing to accomplish this vital aspect of managing their business? For one, they are combining multiple risk assessment types to achieve a more accurate understanding of their threat levels.
Both qualitative and quantitative assessments have their pros and cons. Most organizations begin with qualitative assessments and develop quantitative as their decision-making needs require. By bringing together a linked view utilizing results from both assessment types, they are achieving levels of complexity and insight not previously attained.
The qualitative assessment is generally the first assessment used to determine risk impact associated to the organization’s risk categories (i.e., compliance, financial, operational & strategic), along with any sub-categories of risk deemed appropriate to their strategic objectives, initiatives, and business units.
This is usually accomplished via the use of descriptive scales such as low, medium, and high. While qualitative assessments may be less precise, they still offer valuable direction in preliminary identification of risk across an organization when utilized appropriately. The use of this assessment type will help guide you towards those areas of risk impact that require a deeper understanding by completing a quantitative assessment.
This assessment is generally performed on areas of risk that have been marked for further analysis from the qualitative assessment process. By ascertaining the effect of identified risks on overall objectives, the use of quantitative assessments certainly provides a deeper level of detail and impact understanding. Keep in mind, though, that some types of risks may not be quantifiable.
Quantitative assessments require numerical values for both impact and likelihood to the organization’s risk categories and sub-categories of risk to generally understand how it will impact assets and/or capital. The use of this type of assessment needs to be carefully considered based upon the time it will take and the resources required to adequately obtain the data required to accurately utilize the assessment.
However, when properly levied against the organization, the wealth of information made available to senior management and the board for risk decision-making can be substantial.
Again, both qualitative and quantitative assessments generally have inherent challenges, whether it be with the precision, comprehensiveness of information and resource requirements for data, and/or analytical models. So it only makes sense that if you want to maximize the accuracy of your risk and opportunity predictions, you should look at combining the two. This combination can come in the form of two separate assessments or the possibility of a hybrid approach, where the use of attributes within each is combined during the assessment process.
Regardless of how you choose to assess, achieving maximum value requires that your risk assessment methods are commensurate with the areas of risk and business lines you are assessing within the organization. In some areas of your business, a qualitative assessment may suffice, while in others, you may need to quantify your assessment as well.
In either case, once you have this compounded view across the organization, senior management can begin to determine with greater accuracy whether the organization’s overall risk is within its risk appetite and begin to create appropriate risk responses as required.