5 Common Pitfalls in Risk Assessments

What to avoid and how to maximize effectiveness 

The corporate scandals of Enron, WorldCom and Tyco in the early 2000s have forever changed the way management and investors view risk management programs. Circumventing controls and exposing a company to increased risk is a recipe for disaster that could result in reputational damage.

Despite management’s good faith efforts to implement comprehensive risk assessments and mitigation programs, the percentage of successful implementations remains relatively low. Gladly, there are some clear indicators that your risk assessment may be falling short.  Here are five pitfalls that contribute to an ineffective risk assessment:

  1. Done, filed away:  Risk assessments often result in a substantial amount of documentation that is filed away once completed. However, if the risk management process is not incorporated into daily business processes, it becomes a “check-the-box” exercise and the benefits are never realized. To be effective, it needs to be refreshed as the business changes and should be continuously updated.
  2. Incomplete diagnosis:  When issues are identified, remediation efforts often address the symptom, but fail to treat the root cause of the problem. As a result, the root cause goes unresolved and the risk of further issues remains high.
  3. Generic risks:  When performing risk assessments, companies tend to identify generic risks. For example, they may conclude that there is a “risk or fraud,” which is too generic.  Instead, potential fraud scenarios should be identified, including who the likely perpetrators are, how they could conceal the fraud, and how the potential fraud could be prevented.
  4. Incomplete view:  Many companies utilize a top down approach, which is great for identifying strategic risks. Others prefer a bottoms up approach, which is better for identifying operational risks. However, each one provides only a partial view.  Having the perspectives of both executive management and operational staff are necessary to developing a holistic view of the organization’s risk exposures and ways to mitigate them.
  5. Lack of accountability and buy-in: Risk assessments are often done by someone independent of the business process, such as the Compliance person, and sometimes without getting buy-in or feedback from the business area.  This can result in incorrect assumptions being used, which in turn leads to poor process documentation and incorrect controls.

A best practice would be to have three components to the risk assessment.  First, a Risk Officer who will champion and oversee the risk management program.  Second, the selected employee(s) in the Compliance and/or Legal Department who will work with the business units.  Third, the Risk Committee comprised of top executives from the functional areas, and typically chaired by the Risk Officer. The Risk Committee is responsible for supporting the Risk Officer in overseeing the program.  Such involvement fosters their buy-in to the program.

Being aware of potential pitfalls is the first step toward effective mitigation.  If you would like to learn more about how we can help improve your risk assessment process, please contact me at 925.271.8700 or at ccaballero@ssfllp.com.