Thursday, January 28, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Risk

Using a Risk Model as a Common Language

by Jim DeLoach
December 17, 2014
in Risk
Using a Risk Model as a Common Language

The central purpose of a common risk language is to assist management with evaluating the completeness of its efforts to identify events and scenarios that merit consideration in a risk assessment. Either management begins a risk assessment with (a) a blank sheet of paper with all of the start-up that choice entails, or (b) a common language that enables busy people with diverse backgrounds and experience to communicate more effectively with each other and identify relevant issues more quickly.

In a Corporate Compliance Insights column earlier this year, we provided a suggested language for executive management and directors to use in the Boardroom to focus the board risk oversight process. This month, we discuss the merits of a common language for use by the entire organization.

The sources of uncertainty an enterprise must understand and manage may be external or internal. Risk is about knowledge. When management lacks knowledge, there is greater uncertainty. Thus sources of uncertainty also relate to the relevance and reliability of information about the external and internal environment. These three broad groups – environment, process and information for decision making – provide the basis for an enabling framework summarizing the sources of uncertainty in a business.

  • Environment risk represents the uncertainties affecting the viability of the business model. It arises when external forces can (a) disrupt or otherwise affect the entity’s performance significantly, (b) render critical assumptions underlying the organization’s strategy invalid and/or (c) drive management to revisit prior choices regarding the operating process design, customer and supplier relationships, organizational structure or financing. These external forces include the actions of competitors and regulators, shifts in markets, technological innovation, changes in industry fundamentals, the availability of capital or other factors outside the company’s direct ability to control.
  • Process risk represents uncertainties affecting the execution of the business model. It arises when internal processes do not achieve the objectives they were designed to achieve in supporting the entity’s business model. For example, characteristics of poorly performing processes, or process risks, include lack of alignment with business objectives and strategies, dissatisfied customers and inefficient operations. They also include diluting (instead of creating or preserving) enterprise value and failing to protect significant financial, physical, customer, employee/supplier, knowledge and information assets from unacceptable losses, risk taking, misappropriation or misuse.
  • Information for decision making risk represents the uncertainties around the relevance and reliability of the information used to manage the business. It arises when information used to support business decisions is incomplete, out of date, inaccurate, late or simply irrelevant to the decision-making process.

These three groupings of risk are interrelated. The environment risks and process risks that the enterprise faces are driven by the external and internal realities of the business. Information for decision making risk is directly affected by the effectiveness and reliability of information processing systems and informal “intelligence gathering” processes in place to capture relevant data, convert that data to information and provide that information to the appropriate managers in the form of timely written reports and oral communications.

Process risk is sometimes indistinguishable from information for decision making risk because information is needed to make informed decisions about managing a process. A steady flow of information should provide decision makers the insights they need about the external environment and the performance of the organization’s business processes so that they can manage the risks effectively.

These three groupings of risk provide a broad foundation on which more specific categories of risk can be identified and detailed. For example, process risk might include such risk sub-categories as governance risk, reputation risk (brand image erosion), operations risk, financial risk (e.g., market, credit and liquidity risks), information processing/technology risk and integrity risk (e.g., risk of fraudulent, illegal and unauthorized acts).

In addition, each of these sub-categories might include more specific risks. To illustrate, operations risk might include such specific risks as customer satisfaction, human resources, knowledge capital, product development, efficiency, scalability, cycle time, sourcing, channel effectiveness, compliance, product/service failure, environmental and health and safety, among others. Definitions might be developed to support these risk categories and sub-categories as well as specific risks.

A risk model is flexible enough to be customized to a particular industry by picking up on that sector’s nomenclature and terminology. It may also be tailored to a specific company. Once developed, the model may be used to facilitate risk assessments, strategic thinking and M&A due diligence; codify best practices and risk responses: and provide a framework for risk management presentations and even risk reporting.

Desirably, a common risk language begins at a strategic level for the enterprise as a whole and is customized to specific units, geographies and products. This “cascading” approach has the advantage of identifying risks that are common across the enterprise. For operating units with distinctive risk profiles, however, the overall risk language must be customized to address the unique risks faced by those units. The distinction is an important one. Risks common to all business units drive enterprisewide risk responses. Risks unique to individual units drive unit-specific risk responses.

In summary, a well-conceptualized risk model is a springboard to deeper discussions and understanding of risk and, for some organizations, provides an essential “building block” toward setting the foundation for enterprise risk management. It provides a screening tool and completeness check for risk assessments, as well as a “memory jogger” and “thought stimulator” for busy people engaging in divergent thinking about risk. A customized risk model merits consideration by organizations seeking to implement enterprise risk management.


Previous Post

7 Key Actions to Accelerate Your Ethics and Compliance Program

Next Post

PWC Report: A Guide to Cloud Audits

Jim DeLoach

Jim DeLoach has over 35 years of experience and is a member of Protiviti’s Solutions Leadership Team. With a focus on helping organizations respond to government mandates, shareholder demands and a changing business environment in a cost-effective and sustainable manner, Jim assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2017.

Related Posts

businessmen in miniature studying volatile stock market

The Risk of Undervaluing Culture in a Volatile Market

January 27, 2021
RiskMap 2021: Legal and Compliance Outlook

RiskMap 2021: Legal and Compliance Outlook

January 25, 2021
silhouette of businesspeople in meeting with blue cyber background

Cyber Risk Quantification and Prioritization is the Future of GRC

January 20, 2021
man working on smartphone and laptop

Adverse Media Screening: Relying on Google Alone Can Expose Organizations to Risk

January 19, 2021
Next Post
PWC Report: A Guide to Cloud Audits

PWC Report: A Guide to Cloud Audits

Access realtime data
Dynamic Risk Assessments with Workiva

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights