Three weeks ago, the 16th largest bank in the U.S., and a darling of Silicon Valley, folded up within hours after operating profitably for 40 years. Just a few days later, a 167-year-old bank, considered a globally and systemically important one, found itself in financial trouble. Over the last two months, the biggest tech giants, though rolling in cash, have laid off thousands of employees.
Why do these failures happen so frequently? It's because organizations aren't implementing enterprise risk management as diligently as they should. This article presents an actionable guide to qualitative risk analysis to help your organization avoid such crises.
Understanding Enterprise Risks
Let's start with some basic terms that we'll be using a lot in this article:
- Risk: A risk is any type of loss, damage, or other negative outcomes on your organization.
- Risk event: This is an event that carries some risk to your organization's objectives, operations, or assets. For example, a political upheaval, a data breach, or a natural disaster are risk events.
- Likelihood of a risk: This is the probability that a risk event may occur and its potential impacts are negative. Risk probability may be quantitative (like a "65% chance") or qualitative (like "highly likely").
- Risk impacts: These are the consequences that a risk event can have on an organization, such as financial loss, damage to reputation, or inability to achieve objectives.
These abstract concepts will become clearer by reviewing some concrete examples of enterprise risks.
Examples of Enterprise Risks
Most people equate enterprise risks with business risks, but they're just one category. Let's see some examples of unfamiliar, yet important, categories of enterprise risk:
- Third-party risks: Third-party risks emerge from doing business with vendors and suppliers to achieve your goals. A data breach in your cloud vendor is an example of a third-party risk. Procurement risks are another example of third-party risks.
- Compliance risks: Non-compliance with the laws and regulations of the jurisdictions you operate in carries significant risks. For example, if you operate in the United Kingdom (U.K.), non-compliance with the U.K. Bribery Act carries significant financial and legal risks.
- Environmental, social, and governance (ESG) risks: Climate change, environmental pollution, poor human rights, and poor labor practices are some examples of ESG risks.
Other categories of enterprise risks, like legal and operational risks, also exist. To address all of them, companies use enterprise risk management frameworks as explained next.
Managing Your Enterprise Risks With Frameworks
Every company must systematically address its enterprise risks, and the approaches to do so are quite similar regardless of the company or its industry. So frameworks with ready-made procedures and policies have been formulated to reduce duplication of efforts and provide a level of standardization across enterprises.
In the following sections, we provide details on how these frameworks help address risk management, specifically qualitative risk analysis.
Qualitative vs. Quantitative Risk Analysis
The likelihood of risk occurrences and impacts of some risks can't be easily measured and quantified, even if they're genuine risks. For example, storing the personally identifiable data of customers comes with some legal risks in case of a data breach, but these risks are not easily quantifiable.
In such cases, a qualitative risk analysis is carried out with the likelihood and impacts described by qualitative labels like low, medium, high, minimal, moderate, severe, and similar. The reasoning and decisions here can be subjective and that can become a problem. So measures designed to reach a consensus must be put in place to ensure that everyone on the assessment team is on the same page.
Other risks may be more easily quantifiable. For example, the probability of industrial theft in an area can be gauged based on historical crime data from that area. Such risks are amenable to quantitative risk analysis where more objective comparisons are possible based on numerical values of key metrics.
Both quantitative and qualitative analysis are crucial components of enterprise and project risk management. In the next section, we focus on the steps involved in qualitative analysis.
The 8 Stages of Qualitative Risk Analysis
The qualitative risk analysis process can be broken down into the following eight stages.
1. Risk Appetite and Scope
The first step is to establish those high-level risks that your organization is ready to accept in pursuit of your organizational and business goals. COSO calls this risk appetite while ISO 31000 terms it "scope, context, and criteria." It basically lays out the boundaries of your risk management program.
For example, are you willing to start a factory in a specific country with many regulatory difficulties because of its future value to your business? Such questions for each business line depending on its type of project and project objectives help establish your risk appetite.
2. Risk Identification
Having established your risk appetite, identify risks at a more granular level under different categories, such as:
- Business risks, like relying on suppliers from risky countries
- Financial risks, like getting fined for aiding money laundering
- Compliance risks, like failure to follow a country's regulatory rules
- ESG risks, like climate risks
- Reputation risks, which may accompany the other risks
Qualitative risk analysis records and tracks the identified list of risks in a risk register. The details about the risks come from stakeholders and project teams through questionnaires, surveys, interviews, and reports.
3. Risk Assessment
Risk assessment is the most important stage in risk analysis. This is where every identified risk is assessed in depth for its likelihood and impact.
Three approaches are combined during this stage to get a complete picture:
- Qualitative risk assessment: This approach is for risks whose probability of occurrence and impact can't be easily quantified.
- Quantitative risk assessment: This is for risks whose likelihood and impacts can be meaningfully measured and quantified.
- Semi-quantitative risk assessment: This is a combination of the other two.
We'll focus on qualitative risk assessment here. Sometimes the likelihood and risk exposure can't be meaningfully measured or expressed using numbers. For example, if your project destroys the revered land of a community, you may lose the community's trust, lose them as customers, and damage your reputation. These are real risks but not easily quantifiable.
In such situations, risk-specific, qualitative labels are used to describe likelihoods and impact scales. The likelihood may be described using labels like low, medium, and high. Impacts may be described using labels like severe, moderate, and minimal. The labels will be accompanied by detailed text descriptions that add more information.
The most common qualitative assessment techniques are interviews with stakeholders, cross-functional workshops involving many project teams, surveys of team members, benchmarking, and scenario analysis.
The last two — benchmarking and scenario analysis — are semi-quantitative. Benchmarking involves measuring an event or phenomenon using metrics established by an industry standards body, rating agency, or government regulator. Scenario analysis breaks down each scenario into specific, measurable, granular conditions and compares them on quantified outcomes.
Risk Assessment Matrix
The outcome of this stage is a risk assessment matrix. It's a document, based on a grid template, with the likelihood usually on the horizontal axis and the severity on the vertical axis.
The risk assessment matrix is a useful tool to communicate risk assessment as it presents risks in a clear and easy-to-understand format, allowing informed decision-making by all stakeholders over the levels of risk they are willing to accept. It's also a vital tool for the next stage of prioritization.
4. Risk Prioritization
Not all risks need the same attention or urgency. Even for scenarios that carry equally high risk, prioritizing risks is necessary based on urgency or other factors. The risk assessment matrix acts as an important tool for prioritizing risks. But other tools like cost-benefit analysis and strengths, weaknesses, opportunities, and threats (SWOT) analysis are commonly used to inform the prioritization.
5. Risk Mitigation
Risk mitigation refers to the measures to avoid risks, reduce their likelihood, and control or minimize their impacts.
Risk mitigation involves preparing a comprehensive risk response plan for achieving one or more of those measures. It involves steps like:
- Risk controls: These are your measures for controlling and minimizing impacts. For example, the risk control for reputation risk might include a press conference.
- Roles and responsibilities: Tasks and expected outcomes are unambiguously assigned to specific roles, and the authority required to carry out those responsibilities is granted beforehand.
- Communication plan: The response plan contains standard operating procedures on who should be notified about a risk event and its impacts. It establishes multiple modes of communication to do that.
- Testing and training: The responsible roles must be frequently trained and their responses tested to check if they're following the response plan.
6. Risk Monitoring
Implementing a response plan is impossible if you aren't monitoring for the events and impacts that show that a risk has come true. Risk monitoring involves constant monitoring of any indicators and metrics that show that a risk event has occurred and its predicted impacts are ongoing.
These may be qualitative or quantitative. An example of qualitative monitoring is automatically checking the news for mentions of your brand or company and running sentiment analysis on them to gauge if they're positive or negative.
7. Risk Remediation
Once a risk has occurred and been mitigated, you must think about how to address the root causes that lead to it and minimize, or even eliminate, its likelihood and impacts in the future. Root cause analysis must be carried out. Improving your organizational resilience and business redundancy may be necessary for such remediation.
8. Risk Reporting and Documentation
Documenting your risk assessments and mitigation is necessary to help with remediation. But in addition to internal benefits, they may be mandatory in some regulatory environments.
For example, the examination under the Bank Secrecy Act anti-money laundering regulations requires a regulated institution to document all its risk management measures and make them available to examiners and external auditors.