As we work with organizations to help them to develop their Enterprise Risk Management (ERM) programs, there is a common challenge we see in how people approach risk assessments, and that is distinguishing between risks and risk sources. For anyone that has not studied risk assessment methods, this is extremely common and comes up in virtually every risk assessment we review. But, understanding the difference between these two is important to building better risk assessments, and critical to creating effective and efficient internal controls.
Whenever you perform a risk assessment, there are a series of questions that typically get asked:
- What could go wrong?
- How likely is this event?
- What would be the impact of the event?
- Is that outcome acceptable within our stated risk tolerance?
- Is there something that we need to do to mitigate some of the risk?
But, there is actually a sixth question that is very often overlooked, “What might lead to this event taking place?” This is the risk source – those circumstances or actions that would set the stage for an unwanted event. The problem arises when we confuse the event (what could go wrong) with the source of the event (the source).
Generally speaking, for something to be considered a risk event, the following should be true:
- It should be tied to a defined process, since virtually all risks represent a process failure of some sort.
- You should be able to quantify the impact of the event.
- It should generally reflect an unexpected outcome.
Anything that does not meet these criteria may very well be a risk source.
Let’s take one example to clarify this point. We often see clients indicate “lack of procedures” or “lack of training” as a risk. But both of these are extremely hard to quantify, because you simply don’t know what will happen as a result. These are both excellent examples of risk sources, those conditions that create fertile ground to unwanted events (process failures) to take place. Instead, consider the following:
- Risk: Failure to properly authenticate customers, which could lead to fraudulent activity, a negative customer experience, reputation issues and regulatory scrutiny, including fines and sanctions.
- Risk Source: Lack of proper training, lack of sufficient policies and procedures and employee error.
By more clearly defining the risk, we can be more precise in estimating the impact and make a determination about the proper level of controls needed in order to mitigate the risk to within an acceptable tolerance.
The second reason that this distinction is important is that while we use the risk itself (the process failure) to estimate and assess the impact, we use the risk sources to design the controls. Remember, controls are built in response to risk sources, whereas impact statements are built off the event itself. So in the example above, we can analyze the risk to fully understand its potential impact, and then make a determination about the right level of controls. Then, we use the information about the sources to decide how to build the appropriate controls. So, for instance, we make sure that a policy and appropriate procedures exist and are maintained, and employees receive the appropriate level of training.
Now note the last risk source, employee error. Here is an example where you can’t create a control to avoid employee error. People will make mistakes. What you can do is ask yourself, if an employee did make a mistake is the risk still so great that the impact would be unacceptable? (Again, we are trying to align with our risk appetite.) If the potential remaining risk due to an employee error is so great as to be beyond acceptable tolerance levels, then a secondary level of controls is needed, but only based on our assessment of the basic risk (process failure).
To aid you in this approach, following are some very common risk sources to consider:
- Employee error
- Lack of policies & procedures
- Lack of sufficient training
- Inexperience or unqualified staff
- A changing environment (products, policies, reporting lines, etc.)
- Lack of clear lines of authority
- Lack of dual controls
- Malicious intent, either internally or externally
Each of these can be closely tied to an internal control, but would be very hard to quantify if considered as a stand-alone risk.
Adding this simple thought process to risk assessments adds very little time to the exercise. But by encouraging people to think about risk in these two dimensions exponentially increases the value of the information, because it not only allows you to focus on real risks that can be quantified, it gives you much more information to use when thinking about creating the right level of controls.