The Case for Using Risk-Based Assessments.

by Angelo Esposito, President of ATP Consulting

Regardless of industry orientation, geographical location, or number of years doing business, organizations around the globe realize that appraising critical functions and responsibilities against a risk-based yardstick is both effective and necessary. Owners and shareholders alike are demanding that management take an all-encompassing and holistic approach in identifying, categorizing and mitigating risks to the core business. In certain highly regulated industries, (most notably bio-medicine and pharmacology), applying a risk-based methodology is nearly mandatory. Industry observers predict that it is only a matter of time before legislation is passed mandating compulsory risk-based assessments. But whether driven by regulatory fiat or simply by good management practice, an effective risk-based program is rapidly becoming the foundation upon which many companies choose to build their superstructure.

The benefits of using a risk-based methodology to assess one's organization have significant benefits. Assigning objective, numerical scores to departments, functions and tasks eliminates much of the squabbling and political maneuvering normally surrounding the allocation of scarce resources. Once the functions and underlying processes have been ranked, it automatically establishes a prioritized, continuously updated (if properly maintained) 'To-Do' list. Advanced organizations use this initial list as the benchmark against which future progress (either tactically or in support of strategic objectives) is measured. Not only does the checklist act as the roadmap guiding the company to its three-pronged goals of effective oversight, increased shareholder value and risk mitigation, it also serves as a device to effectively communicate with internal staff and external stakeholders. It states, in unequivocal terms, the factors the company views as being most important for its immediate success and long-term future health.

Yet even though organizations recognize the advantage of risk-based assessment, many hesitate when it comes to the actual implementation. The apologies have all been heard before: lack of time and resources; business lines too diverse and complex; assumption that existing controls are adequate to the task. None of those justifications will acquit the management team that is found guilty of failing to exercise due diligence. Even if it is later discovered that the initial assessment is flawed, the very act of undertaking the review has the ancillary benefit of focusing attention on areas of critical interest. Management can use the assessment as proof that they acted proactively. There is no upside for taking no action at all.

All risk-based methodologies are based on an effective scoring system that have the common characteristics of being easy to understand, are considerate of all relevant risk factors and avoid (wherever possible) subjectivity. Practioners will debate the merits of the various risk-based methodologies. Depending upon their background and bias, they champion criteria with which they are most familiar. Risk-based specialists with experience in the financial services arena will extol the virtues of transactional analysis (number of transactions received; the estimated dollar value of lost transactions) over other methods. Consultants who come from a networking background will sing the merits of physical and logical security metrics surrounding information, equipment and premises. No matter how passionately the risk-based expert may argue, it is important to keep one salient fact in mind. The true measure of the selected methodology is how well it identifies, categorizes and mitigates the risks for the environment under review. Ultimately, the selection is predicated upon the risks defined by the owners and board of directors. Each company defines its own level of risk - criteria they can live with (intermittent mail outages) versus items that are simply unacceptable (loss of key clinical data). It is management's responsibility to set those parameters. Once defined, then (and only then) can external consultants and internal risk management personnel take the next step of applying the appropriate risk-based methodology.

Angelo Esposito is the president of ATP Consulting and helps companies understand and implement customized risk-based assessments for their particular line of business. For more information visit www.consultatp.com.