Before a business can assess or mitigate business risk, it must first identify probable or likely risks to its bottom line. There is no sure-fire method for identifying these risks, but companies rely on past experience for reasonably approximating what could happen. Risk-processes naturally evolve and mature over time, but there are some fundamental principles that stay constant.

Assessing Business Risks

Business risks come in all shapes and sizes. This means that effective risk assessment must be adaptable to or uniquely designed for specific dangers. Whenever possible, a firm should group similar risks into comparable analytic processes.

Ideally, a company should allocate capital based on risk as determined by cost-benefit analysis. Every risk identification process should lead to effective analysis, and every analysis should inform corporate governance.

Internal Versus External Risk Analysis

Two broad forms of risk primarily affect a business: internal and external.

External Risks

External risks are those that originate outside of the firm and include economic trends, government regulation, competition in the market and consumer taste changes. Internal (firm-specific) risks include employee performance, procedural failure, and faulty or insufficient infrastructure.

External risk assessment is almost always data-heavy. Since most external risks are systemic to an economic system – and therefore outside of the control of the company – forecasts cannot be adjusted based on different corporate governance decisions.

The external assessment begins by categorizing potential risks. Some scales are nominal, and some are ordinal. Companies prefer nominal categories because they are easier to manipulate and compare. Quantitative techniques, such as benchmarking or probabilistic modeling, adapt to new data as it arrives. Companies can then track relevant indicators and create thresholds of acceptable risk for a given project.

Internal Risks

Internal risks affect far more specific and controllable processes. Companies use operational risk assessment for risk of loss from inadequate business decisions. Compliance risk assessment is crucial, particularly in tightly controlled industries, such as banking or agriculture.

Internal audit risks must be assessed, particularly for publicly traded companies. It wasn't long ago that companies simply operated on industry-standard practices. Modern companies, however, assess internal risks by considering the likelihood and impact on specific objectives.