CHAPTER 23
Risk Assessment
Risk analytics and assessments provide the information to help the board, corporate management, and business and functional leaders to make more informed business and risk management decisions. In Chapter 9 we discussed the risk analytics that can support enterprise risk management (ERM). However, not all risks can be easily quantified and modeled, which is why risk assessments can be useful. The objective of risk assessment is to identify, quantify, and prioritize an organization's key risks to enable more informed business and risk management decisions. Risk assessment principles are well established in industry frameworks such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM, the Dey Report, the Turnbull Report, and ISO 31000.1
A 2013 KPMG survey2 of approximately 1,000 C-level, cross-industry executives found that 80 percent of their respondents said their companies perform some form of risk assessment, while only 20 percent had no formal enterprise-wide risk identification strategy at all. Of the 80 percent of respondents that perform risk assessment, the survey found (multiple answers allowed):
- 48 percent of respondents said their company's risk management function performs an annual risk assessment
- 38 percent said that the individual businesses perform a risk-control self assessment (RCSA)
- 34 percent said that risk assessments of all risk and control functions are aligned to establish a complete risk profile ...
Get Enterprise Risk Management: From Incentives to Controls, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.