Before a business can assess or mitigate business risk, it must first identify probable or likely risks to its bottom line. There is no surefire method for identifying these risks, but companies rely on past experience for reasonably approximating what could happen. Risk processes naturally evolve and mature over time, but there are some fundamental principles that stay constant.
- Businesses are vulnerable to two broad forms of risk: internal and external.
- External risks include economic trends, government regulation, competition in the market and consumer taste changes that originate outside the firm.
- Internal risks include employee performance, procedural failure, and faulty or insufficient infrastructure and are much more controllable.
- A company should allocate capital based on risk as determined by cost-benefit analysis.
Assessing Business Risks
Business risks come in all shapes and sizes. This means that effective risk assessment must be adaptable to or uniquely designed for specific dangers. Whenever possible, a firm should group similar risks into comparable analytic processes.
Ideally, a company should allocate capital based on risk as determined by cost-benefit analysis. Every risk identification process should lead to effective analysis, and every analysis should inform corporate governance.
Internal vs. External Risk Analysis
Two broad forms of risk primarily affect a business: internal and external.
External risks are those that originate outside of the firm and include economic trends, government regulation, competition in the market and consumer taste changes.
External risk assessment is almost always data heavy. Since most external risks are systemic to an economic system—and therefore outside of the control of the company—forecasts cannot be adjusted based on different corporate governance decisions.
The external assessment begins by categorizing potential risks. Some scales are nominal, and some are ordinal. Companies prefer nominal categories because they are easier to manipulate and compare. Quantitative techniques, such as benchmarking or probabilistic modeling, adapt to new data as it arrives. Companies can then track relevant indicators and create thresholds of acceptable risk for a given project.
Internal risks affect far more specific and controllable processes. Risks include employee performance, procedural failure, and faulty or insufficient infrastructure. Companies use operational risk assessment for risk of loss from inadequate business decisions. Compliance risk assessment is crucial, particularly in tightly controlled industries, such as banking or agriculture.
Internal audit risks must be assessed, particularly for publicly traded companies. It wasn't long ago that companies simply operated on industry-standard practices. Modern companies, however, assess internal risks by considering the likelihood and impact on specific objectives.