How to build a dynamic risk assessment

How to build a dynamic risk assessment

Risk assessment requires a collaborative approach that is both comprehensive and flexible. New data and market changes demand agility.

In brief

  • Data has always been a challenging variable in the risk assessment process. Companies are rethinking their strategies to account for new data and new risks.
  • Many companies find it difficult to sort through the all the data available to zero in on which points matter most to their business.
  • Evolving technology can help companies make better risk assessments, but collaboration remains an important trait in any risk mitigation strategy.

Do you know what must go right to achieve your organization’s strategic objectives? Are you able to identify what could go wrong before it happens?

Connected risk approach

In this series, we’ve introduced the connected risk approach and discussed the importance of beginning with an integrated risk taxonomy to harmonize your risk management activities across the three lines of defense. The next step is to execute a dynamic risk assessment composed of:

  • Diverse qualitative and quantitative inputs to reduce reliance on judgmental analysis
  • Data-driven aggregation and prioritization methods to reflect a rapidly changing environment
  • Modern tools and technology to enhance output and reduce manual effort

 Dynamic risk assessment has four phases: orient, identify, prioritize and respond.

Orient your mandate to better manage risk

From whatever perspective that you’re reading this, “orient” is a critical first step to understand the scope of risks you’re assessing and your function’s mandate with respect to managing those risks. This will determine where you source data, how much emphasis to put on each type of input, and who needs to be consulted and/or informed during the process.

Each risk, compliance and assurance function is likely to have its own assessment process; too often, these assessments are done in silos and not shared across the enterprise. Leading organizations are moving toward enterprise assessments, but that doesn’t mean one risk assessment to rule them all — in fact, quite the opposite. Each function independently assesses through its lens and shares the output across the three lines. When this is done collaboratively, the risk ecosystem thrives on an integrated taxonomy and a comprehensive view of the top risks facing the company.

How EY can help

  •  Enterprise Resilience

    Discover how EY can help transform your business to navigate disruption with agility, stay competitive in the market and help generate long-term value.

    Read more

Identify risk through data-driven inputs

 

The “risk then data, or data then risk?” conundrum has plagued the risk assessment process for years. Historically, companies have conducted interviews to identify risk, then found data to substantiate the risk. Today, organizations must leverage internal and external data to identify a broader set of rapidly changing and emerging risks in addition to what management has identified.

 

Dynamic risk assessment incorporates four types of inputs, including:

 

1. Qualitative assessment – balancing interviews and data

 

Qualitative assessment is the risk professional’s subjective determination of likelihood, impact and velocity of a risk occurrence based on data consulted, current factors and general knowledge of the business. This inherent risk quantification is offset by qualitative review of management preparedness or control effectiveness to produce a residual risk rating.

 

Interviews remain a valuable source of information for qualitative analysis; however, they must be balanced with data-driven inputs to produce a truly dynamic risk assessment. Leading organizations are utilizing modern tools to drive efficiency and deeper insight, reaching greater audiences in facilitated sessions and turning feedback from interviews into structured data inputs.

 

2. Quantitative metrics – deriving risk from business performance

 

Quantitative metrics include financial, operational and other business performance indicators that are considered key to operational success. While the first line leverages these KPIs to run the business, second and third line functions turn them into key risk indicators (KRIs) by assigning tolerance thresholds and aligning to specific risks within the taxonomy.

 

Ideally, analytics are never built solely for the purpose of executing a risk assessment; they can and should be adapted from existing operational indicators or developed and fed back to the business as continuous monitoring.

 

3. Risk performance – leveraging the same taxonomy 

 

Risk performance refers to history and findings from internal and external audits, compliance and other assurance activities, including management’s self-reporting of issues. When functions use the same taxonomy, risk performance easily maps into the assessment process. In the next blog, we’ll dive into assurance mapping and coordinated response, the basis for your risk performance inputs.

 

4. External data – challenging perspective with the “bias buster” 

 

Notable organizations leverage external data as a bias buster to challenge the completeness and prioritization of their internal risk assessments. Many companies struggle to identify and access meaningful information; luckily, there are platforms and solutions available to aggregate multitudes of data and identify threats aligned to your risk universe.

 

Organizations should consider adopting a leading risk platform that aggregates external data sources, including peer company risk factors from publicly available reports, sentiment analysis from news and social media, credit analysis, cyber health ratings, geopolitical factors (including a corruption index and AI-based country risk ratings), and publicly available information about key and second-tier business relationships (e.g., suppliers, customers, joint ventures).

 

Leveraging new data will likely expose additional risks, so we highly encourage a loop-back mechanism to evaluate and update your taxonomy.

 

Prioritize the risks that matter today 

 

A risk assessment is considered “dynamic” when it continuously ingests new data from multiple sources to quickly identify and reprioritize emerging and increasing threats. This aggregation and orchestration is your “secret sauce,” with weighted scoring of inputs producing a composite risk score aligned to your integrated risk taxonomy (remember the snowflake structure we talked about in a previous article). Each function may weigh inputs differently based on its mandate that was established in the orient phase, and the weighting may change as new inputs become available.

 

Respond to fit your organization’s risk posture 

 

Leading organizations leverage modern technology to enable this process on a continuous basis and expose the risk posture of the enterprise to management in real time rather than waiting for a prescribed risk assessment refresh cadence. A dynamic risk assessment that prompts the right response at the right time is critical to protect and build organizational value.

 

A special thanks to Megan Duggan and A.J. Spalding for contributing to this article.

Summary

Risk assessment relies on an intuitive approach to strategy that accounts for each company’s unique operating model and structure. Data is a critical part of this process, but it must be aligned with the overall vision of the organization.

Related articles

Who, what, where: getting to know your risk ecosystem by name

Find out why an integrated risk strategy starts with identifying your risk steward and why an integrated risk taxonomy supported by tech is key to success.

29 Apr 2022 Scott McCowan + 1

Why now is the time to modernize your risk management strategy

Find out how to modernize your risk strategy by taking a connected risk approach and leveraging data and technology to support your risk management efforts.

04 Mar 2022 Scott McCowan + 1
    Contact us
    Like what you’ve seen? Get in touch to learn more.

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.