Is performing risk assessments putting your company at risk?
Ask yourself this: how often are you performing risk assessments?
- Zero times a year—we don't have the time or resources
- Once a year—we don't have the resources we need
- Once a year—we don't have the time we need
- Multiple times a year—we've got a great handle on things
The answer should be D, multiple times a year.
The risk environment that your company operates in is rapidly changing—with risks and threats evolving daily. If risk assessments are performed only once a year or not at all, the company is at risk because emerging risks could go unnoticed, undetected, or may not even be considered. Cybersecurity risk, bribery, supply chain threats, and treasury and capital markets risk are all in the spotlight.
Why is it so important?
To mitigate the risks in your company's changing environment, risk assessments need to be an integrated process, not just a check-the-box exercise done once a year. All too often we hear from prospects and customers looking to upgrade their processes—that they do not have the time and resources they need to review their risk assessments multiple times a year.
When performing multiple risk assessments, it's important to take into consideration the following questions:
- Is risk considered with your strategic initiatives? Or, is it an afterthought that can lead to significant consequence?
Often, companies identify tools and procedural changes that are known to reduce risks and the potential for loss, but these are only given thought when something bad happens. Suddenly these changes—which could come in the form of purchases or projects that were not in the budget—are thrust to the front of the line and expected to be completed as quickly as possible.
When risk is integrated into strategic initiatives and organization-wide risk management activities are performed, companies are better able to mitigate losses on a regular basis. As shown in a recent case study, companies can mitigate, if not avoid failed internal controls, by reviewing a prioritization of risks and the controls necessary to mitigate each.
- Has your company allocated more or sufficient resources to assessing and managing the risk environment? Who owns emerging risks, risk follow-up, and risk escalation?
In order to properly assess and manage the ever-changing risk environment for your organization, companies need to make sure there are an adequate number of professionals who understand the risks and potential losses. This staff needs to be extremely diligent towards the evolving risk environment—understanding new, potential threats and vulnerabilities as they appear.
- How often are management and the board kept up to date on the risk environment? Once a year and then never again?
The board's focus on effective risk oversight is critical to setting tone and culture toward effective risk management. As risks continually evolve, management and the board need to have active discussions to establish a mutual understanding of the organization's risk exposures.
The risk environment does not solely rest on the shoulders of management and the board. A recent KPMG study suggests that companies want more insights related to risks from internal audit departments. Today, 22 percent of companies receive help assessing risks and risk management practices, but 57 percent would like to receive this information. 36 percent of companies would find it valuable to receive informed perspectives on emerging risks, but only 5 percent are currently doing so.
To effectively review the risk environment, internal audit, the board, management, compliance, legal, and risk all need to have a seat at the table.
The risk environment for your organization is constantly in flux. Because of this, you need to make performing risk assessments a regular occurrence in your organization.
Don't place your company at risk—be a leader and improve the risk assessment process. Learn how companies are performing risk assessments in an efficient manner by downloading Assessing Your Company’s Risks of Non-Compliance With the Foreign Corrupt Practices Act: A Practical Guide.
About the author
Mike Rost is a key contributor to product strategy at Workiva and works with business leaders in the areas of financial reporting and compliance. With more than 25 years of experience assisting organizations using technology to optimize business processes, Mike has an extensive background in finance and accounting, corporate performance management, and GRC technology. Mike was a founding member of XBRL International with involvement in the XBRL initiative dating back to 1999. He has also been active in industry associations, including the Open Compliance and Ethics Group (OCEG) and the Institute of Internal Auditors (IIA). Mike has a bachelor's degree in economics and an MBA in marketing and finance from the University of Minnesota.