Tugboat Logic spoke with Kai Wong, Risk Advisory Partner at Deloitte, about the role risk assessment plays in supporting high-growth companies in the mid-market. With over 25 years of experience in the field, including five in Silicon Valley, Kai has led risk assessments for organizations of every size and type, from public companies to startups.
This blog post shares the top insights and best practices Kai shared in a recent Q&A webinar.
Learn all about:
- The connection between business risk and business strategy
- How to take the first steps in the risk assessment process
- What the risk assessment lifecycle looks like
- Who should be involved in risk assessment
- How to avoid common pitfalls
Kai’s responses are edited and condensed for clarity. Let’s dive into the risk assessment process and how to do it right!
What Is a Risk Assessment?
A risk assessment is a process for identifying and prioritizing risk with the intention to address those risks in priority order.
Why Are Risk Assessments a Strategic Process?
For many companies, risk has a negative connotation. It’s something bad that could happen and they need to be avoided and prepared for.
But in the risk profession, we talk about risk in much broader terms. For example, risk can get in the way of achieving business objectives or the overall business strategy. The business objectives or goals guide your risk assessment by framing the process this way. But by requiring you to look beyond loss scenarios. Instead, ask yourself what is the business trying to achieve and what could get in the way of that?
When Should Startups and High-Growth Companies Start Focusing on Risk?
Every successful company of any size is already assessing and managing risk. But at some point, that company will want to apply a more structured and disciplined approach. Maybe they’re pursuing SOC 2 or ISO 27001 compliance. Or, maybe the company has first-hand experience of going through a major risk event like the 2008 financial crisis, unexpected litigation, or a ransomware attack and recognize the need for a more robust risk assessment.
The company can follow those compliance frameworks and standardized methods to guide its risk assessment if compliance is the driver.
But compliance aside, every business gets to a point where there are more stakeholders and additional complexity. As a result, the risks become more complicated and dynamic. Lacking structure, discipline and investment in the process, the company risks jeopardizing its business goals.
Where Should a Company Start the Risk Assessment Journey?
Even if a company doesn’t have a formal risk assessment process in place, they’ve started its journey. Companies constantly assess risks.
However, early on, risk assessment is likely to be an ad-hoc process focusing on issues as they appear. Few stakeholders are involved, with no formal methods or frameworks and no technology to manage the process; it’s doable. Companies at this maturity level should keep progress simple and start small—for example, flag risk as a topic at an upcoming management meeting. Or include a conversation around risk in your existing planning process. Simply get it on the agenda. These are low-effort ways to bring more focus to organizational risk.
As the process matures, it becomes more defined. The shift is often driven by company growth, increased exposure to risk, the need for compliance or a desire to differentiate in the market. As a result, the company is motivated to create a formal risk assessment process that follows a framework. Frameworks help ensure assessments are performed consistently and documented thoroughly. Naturally, more stakeholders contribute their input to the assessment process and technology incorporated to manage it more efficiently.
Finally, the company will progress to a risk assessment process that is optimized. Risk assessments and business activities, strategy and planning, become integrated. Risk and performance indicators are established, monitored and analyzed at the domain and enterprise levels.
How Do You Conduct The Risk Assessment Process?
There are three critical steps to the risk assessment process.
Step one is to develop the risk assessment criteria. If you’re conducting a risk assessment to comply with a standard like SOC 2 or ISO 27001, you’ll use the certification framework. If you’re assessing risk for other reasons, you’ll want to consider COSO (Committee of Sponsoring Organizations of the Treadway Commission). Many frameworks are based on the processes and principles that define COSO, making it a solid starting standard for your risk assessment processes.
Step two establishes a process for assessing the risks you identify using consistent criteria. Basically, you want to look at the potential impact of each risk factor and the likelihood that it will impact the business. It can also be helpful to look at risk dependencies and analyze risks in aggregate, as it can change the result. At the end, you can plot risks on a heat map, allowing you to see risks in terms of the extremity of their impact and the certainty with which the business is likely to be impacted.
Step three is responding to the identified risks as priorities by arranging a risk management program. Start by establishing a timeline for rolling out solutions. Some risks need to be addressed immediately, while others can probably wait a little longer.
Then identify roles and responsibilities. Who’s directly accountable for each risk? Empower these owners by enabling processes, infrastructure and reporting so that they can take action to mitigate, monitor and report on those risks ASAP. Executive management plays a key role as well in keeping the program alive. Setting risk assessment process priorities at the highest level and updating the priorities regularly can evolve in line with your business strategy. And finally, the board has a governance role as a sounding board and point of accountability for the executive.
Who Should Be Involved in the Risk Assessment Process?
Ultimately, everybody is a risk manager in an organization with fully mature ERM (enterprise risk management).
Rather than regarding roles in terms of a specific reporting structure, think about the flow of information. Information needs to flow upward and downward. People at the frontline of risks, like customer-facing or IT system-facing, need to move information upward to alert management to the risks they find. The board or management level needs to flow information downward to communicate to keep the strategic focus that impacts how to prioritize risks.
Facilitate that flow of information by issuing a survey to a broad stakeholder group and collecting their initial input. Next, present the top risks and report to the executive team. Group discussions will flesh out risks and identify areas where perspectives differ. Information can be shared in workshops with teams and provides plenty of opportunities to explore any issues in depth.
What Are Some of the Pitfalls for Companies Getting Started?
You don’t want to boil the ocean with a risk assessment. Instead, filter the information you collect to the point where a group can meaningfully analyze it, especially when it reaches the management or board level. Then, stay focused on issues that the board and management should be concerned about.
You also don’t want to let the risk assessment process become stale. The first time you go through the risk assessment process, you find high-priority risks and fix them, which can significantly impact the company!
If you go through the exact same process next time, with the same scope and team, you’ll find fewer and fewer risks. That doesn’t mean there actually are fewer risks—you’re just not uncovering them anymore. For a dynamic and proactive risk management process, you need to keep things fresh. Try new ways of surfacing risk and ask different people questions. Apply other strategic objectives as the company evolves.
The Art of the Enterprise IT Risk Assessment
Want to streamline risk identification and conduct better assessments, faster? Download The Art of the Risk Assessment and create a more effective risk management practice.Download eBook
What Role Does Technology Play in Risk Assessment?
We see companies adopt risk management technology earlier for risk assessments because platforms like Tugboat Logic offer better capabilities at an accessible price point.
This technology helps you focus on risk management rather than the paperwork and manual labor involved. In addition, as your risk assessment process matures and you bring in more stakeholders, technology helps them collaborate effectively. And it ensures that the process is documented correctly with consistency and continuity.
Get More Expert Advice on Risk Assessments
For more tips and best practices on launching your first risk assessment, watch Understanding IT Risk Management. In this on-demand Q&A webinar, Kai Wong shares his risk assessment maturity model and answers more questions about the assessment process.