• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / Identifying, assessing, and evaluating risk is the easy part

By Norman D. Marks, CPA, CRMA | 2 Minutes Read January 31, 2018

Identifying, assessing, and evaluating risk is the easy part

Identifying, assessing, and evaluating risk is necessary, but as the author of this article points out, it’s not enough. It needs to go further to evaluating the options and identifying the new or modified risks that result from the decision on how to address the original risk.
evaluating riskI have been giving a lot of thought to this recently.
Knowing your risks is just the start.
Acting, making informed decisions and taking the desired amount of the right risks, is the point of the spear.
Once you have identified a risk, what are you going to do about it?
It’s a lot more than simply saying you are either going to accept, avoid, pursue, reduce, or share a risk (the COSO ERM 2017 options).
You have options and each carries with it its own set of risks – things that might happen.
COSO ERM 2017 talks about strategy selection, which is a very important decision, and how you need to assess each option. The selection process includes understanding what might happen under each option (risks and opportunities in their language), weighing all the pros and cons, and then choosing the one that makes the most business sense.
It’s not just which option is most likely to bring the risk to desired levels (lower or higher) at the least cost.
The decision-maker needs to understand how each option might affect other risks, perhaps to other objectives.
For example, if additional resources need to be dedicated to addressing risk A, that might weaken the organization’s ability to address risks B, C, and D. Requiring sales personnel to undergo a three-day training class on compliance could delay completion of deals, diminish (more than desired) their attitude towards risk-taking, and lower their morale because they believe bonuses will be reduced.

I am pleased that COSO talks about the issue (although their discussion is limited) but disappointed that they failed to realize that every decision requires the same level of thought.
Many ERM programs stop when they have identified a risk, determined its level, assigned an owner, and said what will be done about it.
But they usually don’t provide a disciplined process for evaluating the options and identifying the new or modified risks that result from the decision on how to address the original risk – and, essentially, factoring that into the selection process.
COSO is silent on this. The ISO 31000: 2009 global risk management standard says, “Risk treatment can also introduce secondary risks that need to be assessed, treated, monitored and reviewed.” But it does not explain how the assessment of those secondary risks should affect the risk treatment selection process. The current draft of the ISO update doesn’t include any additional guidance either.
That’s my experience and understanding. Is it yours as well?

  • About
  • Latest Posts
Norman D. Marks, CPA, CRMA
Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
  • Twitter and risk - January 18, 2023
  • When the board insists on a list of the top risks - December 9, 2022
  • The greatest risk and the greatest asset - November 25, 2022

Article by Norman D. Marks, CPA, CRMA / Business, Finance and Accounting, Privacy / addressing risks, business risk, COSO ERM 2017, evaluating risk, ISO 31000: 2009 global risk management standard, risk, risk evaluation, risk management

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However, he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy