Risk assessment is an essential part of any organisation of any size. From a small start-up company to a mega multinational, assessing potential risks is crucial for survival and success.
Risk assessment, however, is no easy job. The process is rife with many challenges that any good risk manager must tackle with every task. In this article, I address these risks to identify the issues, analyse those issues and, finally, offer solutions to break through the hurdles to make effective risk management possible.
The first challenge in risk assessment are resources
Leaders are constantly under pressure to do more with less. They must work quickly and efficiently while taking on new roles alongside their existing responsibilities. It’s as if they are expected to perform a balancing act. The lack of a budget or physical resources is an additional problem. The solution, however, may lie in embracing the power of technology. Use software to delegate some of the work while working on the more pressing issues.
The Importance of Risk Assessment
Before getting into some of the difficulties, let’s first point to the relevance of risk assessment. At its core, risk assessment is the fundamental component of risk management, which consists of identifying sources of risk, estimating their likelihood and potential impacts, and selecting appropriate risk management strategies to deal with them, whether to avoid them, reduce them, or transfer them, to mention some of the risk management recipes we examined in the previous instalments of this series.
Effective risk assessment allows companies to:
- Anticipate and prepare for potential threats and possible risks
- Allocate resources more efficiently
- Protect assets and reputation
- Comply with regulatory requirements
- Enhance overall business resilience through enterprise risk management
Given the significance of risk assessment, every business continuity agenda has risen to the priority list. However, the more complex our risks become, the more difficult the assessment will be.
Common Challenges in Risk Assessment
Identifying Emerging Risks
The biggest challenge for the risk assessor is identifying new risks when they are not yet risks at all. As our lives accelerate, new risks emerge seemingly overnight. Technological changes, geopolitics and society in unforeseeable ways threaten the present and future.
Case Study: Artificial intelligence (AI), which has rapidly evolved, is giving rise to a whole class of risks many organisations are still trying to quantify. From technology to ethics, AI introduces complex problems for risk managers to manage.
Data Quality and Availability
Sound risk assessment depends on obtaining the correct risk data in the right quality, which is often tricky. Organisations struggle with:
- Incomplete or inaccurate data
- Outdated information
- Lack of historical data for new or emerging risks
- Difficulty in quantifying qualitative risks
Without sound data, risk managers will be forced to make risk choices based on inferior information and may not mobilise effective control and mitigation strategies.
Cyber Risk Management
Cyber risks are everywhere. We increasingly live in a digital world, where protecting intellectual property and client information is paramount, and organisations of all types must now take seriously the vulnerabilities and cyber attacks that can threaten their business model. The ever-evolving nature of cyber attacks, threats, malicious actors and means of attacking organisations exacerbate the pre-existing challenges of cyber risk analysis and transfer. For traditional risk managers who may be less familiar with cybersecurity’s technical complexities, quantifying the risk level and accessing the market to underwrite the risk is a formidable task.
Third-Party Risk Management
The risk that affects businesses most is undoubtedly the connectedness of companies and the potential vulnerabilities resulting from dependency on third-party vendors and partners. Some more specific ramifications of the way business is done today that make vendor risk management and third-party risk assessment rather hard to tackle are:
- Limited visibility into third-party operations
- Difficulty in enforcing risk management practices across the supply chain
- Potential conflicts between business objectives and risk management efforts
Balancing Risk and Reward
However, risk assessment is not only about perceived threats; it involves evaluating projected benefits, such as the prospect of being rewarded for taking a calculated risk. One of the more common dilemmas for risk managers is ensuring the right balance between risk aversion and opportunity-seeking. Overcautiousness can result in the loss of opportunities, while overaggressiveness can lead to excessive risk exposure for the organisation.
Integrating Risk Assessment into Organisational Culture
Ultimately, to make risk assessment effective, it must be institutionalised. For many companies, a risk management culture remains elusive – that is, an organisation whose professionals and executives at all levels understand good risk practice and are ready to take part in decisions about risk level. Organisations grapple with this challenge, which stems from:
- Lack of top-level support for risk management initiatives
- Inadequate training and communication about risk assessment
- Resistance to change from employees comfortable with the status quo
Keeping Pace with Regulatory Requirements
It is constantly changing: new laws and regulations continue to emerge. For risk managers, ensuring compliance with these ever-changing regulatory demands keeps getting more complex. The challenges are particularly pronounced for organisations in multiple jurisdictions, as they might have to comply with an unwieldy set of sometimes contradictory regulations.
Quantifying Intangible Risks
Some risks are relatively easy to quantify, attaching a monetary value to, say, the cost of a computer security attack that results in the loss of customer data; others, such as reputational risk, are notoriously difficult to measure because they are less tangible and obvious. However, their threat to the organisation can be severe. In addition, most effort is put into measuring financial risks, and less effort is put into measuring the more intangible risks related to governance or reputation. Usually, it is difficult for risk managers to agree on a meaningful metric to map these abstract risks in the risk matrix, and they will probably end up favouring those risks that can be quantified.
Dealing with Cognitive Biases
Human judgment – weighed by factors such as probabilities of unsafe conditions, foreseeability of use, levels of legal standard of care by communities, and volatility of use – is critical in risk assessments. But, like it or not, humans are creatures of bias, so the perception of risk is often warped by cognitive biases that can influence various factors. Some biases that might influence risk assessment include the following:
- Confirmation bias: the tendency to seek out information that confirms existing beliefs
- Availability bias: overestimating the likelihood of events that are easily remembered
- Optimism bias: the tendency to underestimate the probability of adverse events
Recognising, controlling and mitigating these biases is an ongoing challenge for risk managers.
Communicating Risk Effectively
Sound risk assessment is useless if decision-makers are not well-equipped to understand its more technical elements. Risk managers struggle to translate specialised and often technical risk information into relevant and actionable information for decision-makers (mainly when risks are outside their expertise).
Strategies for Overcoming Risk Assessment Challenges
Making risk assessment more accurate is significantly more challenging than this list could ever suggest, but on a positive note, some avenues forward for organisations are outlined below. In organisation design, trying to do everything is a recipe for poor performance on everything.
Risk assessment improvement strategies:
- Recognise the gap between your risk assessment process and the best practice you aspire to; acknowledge any missing elements
- Analyse the internal and external factors that drive your organisation’s risk in more detail
- Political strategists have often emphasised the need to improve risk communication. Achieve a shared vocabulary for consistency and clarity. Avoid ambiguous terms or subjective language that lacks concrete meaning. Words such as ‘contact’ or ‘engaged’ leave functions and activities otherwise undefined from one side to the other
Invest in Risk Intelligence
Organisations need to grow their risk intelligence capacity to improve their ability to foresee emerging and new risks related to known risks. This involves:
- Implementing advanced data analytics tools
- Leveraging artificial intelligence and machine learning for risk prediction
- Establishing a dedicated team for horizon scanning and trend analysis
Enhance Data Management Practices
To address data quality issues, organisations should focus on:
- Implementing rigorous data governance policies
- Investing in data cleansing and validation tools
- Developing partnerships to access external data sources
Develop a Comprehensive Cyber Risk Management Framework
To tackle the complexities of cyber risk, organisations should:
- Conduct regular cyber risk assessments
- Invest in employee training and awareness programs
- Collaborate with cybersecurity experts to stay informed about the latest cyber threats
Implement a Robust Third-Party Risk Management Program
To better manage third-party risks, organisations can:
- Develop clear risk assessment criteria for vendors and partners
- Conduct regular audits and assessments of third-party operations
- Implement continuous monitoring tools for third-party risk
Foster a Risk-Aware Culture
To integrate risk assessment into the organisational culture, companies should:
- Secure visible support from top leadership
- Provide regular training and communication on risk management practices
- Incorporate risk considerations into decision-making processes at all levels
Leverage Technology for Regulatory Compliance
To keep pace with changing regulations, organisations can:
- Implement governance, risk, and compliance (GRC) software
- Establish automated alerts for regulatory changes
- Develop partnerships with legal and regulatory experts
Develop Innovative Approaches to Quantifying Intangible Risks
To better assess intangible risks, organisations can:
- Use scenario analysis and stress testing
- Develop proxy measures for hard-to-quantify risks
- Leverage expert judgment through structured elicitation techniques
Address Cognitive Biases
To manage the impact of cognitive biases on risk assessment, organisations can:
- Implement structured decision-making processes
- Encourage diverse perspectives in risk discussions
- Provide training on cognitive biases and debiasing techniques
Improve Risk Communication
To enhance risk communication, organisations should:
- Develop clear and consistent risk reporting formats
- Use visual tools like risk matrices and heat maps
- Tailor risk communications to different stakeholder groups
Employ Diverse Risk Assessment Methodologies
To ensure a comprehensive approach to risk assessment, organisations should:
- Utilise a variety of risk assessment methodologies
- Regularly review and update their risk assessment process
- Adapt methodologies to suit different types of risks and business contexts
Focus on Operational Risk
All staff should care about operational risk – risk in people, processes, and systems. Follow these indications: all staff must have an organisational structure, the inability to meet deadlines creates risk, and display a willingness to roll up your sleeves. This can be helped by:
- Develop specific operational risk assessment frameworks
- Implement robust internal controls
- Regularly review and update operational risk management strategies
Enhance Risk Identification Techniques
Improving risk identification is crucial for effective risk assessment. Organisations can:
- Implement brainstorming sessions and workshops
- Use checklists and historical data to identify potential risks
- Leverage industry benchmarks and external resources for risk identification
Final Thoughts
The pressure to get this right, as noted above, is intense. The challenges are real but not insurmountable. Identifying and evaluating risks is an increasingly important part of business work. By using tools to overlay risk registers with current and projected risk datasets, asking the right questions about risk culture and controls, and investing in the right digital technology and people, PMOs and business leaders can enhance their capabilities to identify, assess, control and mitigate risks more effectively.
But as tomorrow ticks over, the field of risk assessment is bound to change, moving ahead with the development of new technologies, fluctuations in the global business environment, and the emergence of new risks. Risk managers—those able to anticipate change and overcome the challenges mentioned in this article—will be most capable of helping their organisations navigate the uncertainty ahead.
Good risk management isn’t about eliminating all risk, nor could or should you do that. It is about understanding risk, making choices, and constantly balancing risk and reward. By embracing that philosophy and responding to these challenges, you can transform risk management from a mechanical risk assessment exercise into a valuable business tool for driving achievement.