Before a business can assess or mitigate business risk, it must first identify probable or likely risks to its bottom line. There is no surefire method for identification or assessment, but firms rely on reasonable approximations based on past experience. Risk processes naturally evolve and mature over time, but there are some fundamental principles that stay constant.
Business risks come in all shapes and sizes, so effective risk assessment must be adaptable to or uniquely designed for specific dangers. Whenever possible, a firm should group similar risks into similar analytic processes.
Ideally, a company should allocate capital based on risk in conjunction with cost/benefit analyses. Every risk identification process should lead to effective analysis, and every analysis should inform corporate governance.
Internal Vs. External Risk Analysis
There are two broad forms of risk: internal and external. External risks are those that originate outside of the firm and include economic trends, government regulation, competition in the market and consumer taste changes. Internal, or firm-specific, risks include employee performance, procedural failure, and faulty or insufficient infrastructure.
External risk assessment is almost always data-heavy. Since most external risks are systemic to an economic system – and therefore outside of the control of the company – forecasts cannot be adjusted based on different corporate governance decisions.
The external assessment begins by categorizing potential risks. Some scales are nominal, and some are ordinal. Companies prefer nominal categories because they are easier to manipulate and compare. Quantitative techniques, such as benchmarking or probabilistic modeling, adapt to new data as it arrives. Companies can then track relevant indicators and create thresholds of acceptable risk for a given project.
Internal risks under far more specific and controllable processes. Companies use operational risk assessment for risk of loss from inadequate business decisions. Compliance risk assessment is crucial, particularly in tightly controlled industries, such as banking or agriculture. Internal audit risks must be assessed, particularly for publicly traded companies.
Modern companies assess internal risks by considering likelihood and impact to specific objectives; it wasn’t that long ago that companies simply operated on industry-standard practices.