With the increasing availability of big data and sophisticated software analytics, such as machine learning, modern risk assessment are automated and easy to use for people who have limited technical knowledge on risk management. The outcome of risk assessment will become more accurate due to the access to large-size samples. For example, Deloitte has developed a continuous risk assessment tool as an enhancement of its traditional risk assessment processes through the inclusion of quantitative metrics i.e. key risk indicators, to better assess the risk universe. ORM has moved away from traditional risk assessment towards risk-based strategic decision making.
Note: Traditional ORM practitioners believe they conduct risk assessment, but they actually perform expected loss assessment.
The Evolutionary Path from Traditional to Modern ORM
Source: adapted from SunLife Financial 2007
Risk assessment are only effective if corrective and preventative actions/controls are correctly chosen and effectively implemented. However, to ensure the effectiveness of risk assessment, effective root cause analysis is a critical step to help fully resolve an issue and it is one of the reasons why the new ISO 9001 and 14001 management systems in 2015 have become a preventative tool.
Typically, the trail of risk management begin with the risk assessment performed by the leadership of the enterprise as the precursor of the strategic planning. As the business environment and situations change, organisations are required to review their risk assessment processes and methods to ensure they are still accurate and relevant for continual improvement. From an enterprise risk assessment perspective, the organisation should cascade the risk assessment process to all of its operations. Ideally, each process owner should conduct risk assessments of their processes to determine how they could potentially fail to meet planned outcomes (SAI Global, 2017).
Most organisations have already employed some methodology for risk assessment. For example, failure mode and effects analysis (FMEAs) is a very useful technique to identify and prioritise risks. The methodology is usually limited to specific processes or products. The new ISO standards require organisations take the same basic approach or thought process and apply it to the entire business to fit organisation-specific needs (SAI Global, 2017).
Regardless of the risk assessment methodologies or techniques used, organisations need to identify their internal and external risks and opportunities that could potentially impact its ability to meet planned objectives today and in the near future, through for example SWOT analysis. Auditors will determine what methodology is chosen by the organisation and evaluate whether the methodology has been effectively implemented for risk reduction. However, risk assessment processes are not expected to be perfect and too complicated. They should cover the basics and then continue to improve until they become both effective and efficient (SAI Global, 2017). While only 20% of organisations are risk seeking, a new research of CEB in 2015 found 60% of corporate strategy officers stated that their company’s decision-making processes are too slow, partially due to an excessive focus on risk prevention. If this issue is addressed, revenue growth rate is expected to double.
Source: CEB and HBR, 2015.
As shown in graph above, risk managers and auditors spend more than half (52%) of their time on financial-reporting, legal, and compliance risks, even though 95% of market value losses have resulted from mismanaged strategic and operating risks. Most companies (91%) plan to reorganise or reprioritise risk management between 2015 and 2017 (HBR, 2015). In terms of the OHS risk management practices, this emerging trend signifies a shifting focus from minimal compliance to industry good practices in large enterprises. For example, there is a need to shift the OHS focus in the South African construction industry from safety to health and ergonomics, and a paradigm shift from compliance to better practices beyond elementary incident treatment.
Due to the holistic nature of occupational risk management, the risk assessment process requires multidisciplinary skills, using a diverse range of tools to aid in making informed decisions about all the identified losses and their risk (Cioca, BĂBUŢ & MORARU, 2016).
The next section will focus on the risk assessment methodologies and techniques currently deployed in various industries.