This is part 3 of our video series on "Disparate and Disconnected Risk Processes and Information". In this video, David Tattam talks about the eight key steps of the Risk and Control Self Assessment process aligned with the ISO 31000 Risk Management Standards.
Hi, I'm David Tattam, Director of Research and Training at the Protecht Group. We at Protecht believe that there are six key building blocks required to support a strong integrated enterprise risk management framework.
So today, we're going to be looking at the risk assessment process, otherwise known as the risk control self-assessment. Now the objective of this process is to identify, analyse and understand our key business risks, and their related controls and evaluate those against our risk appetite and the desired risk levels and to see if we need to make any improvements.
Now there are many approaches to risk assessment. We will outline Protecht's preferred approach. This is made up eight key steps which really are aligned to the ISO 31000 Risk Management Standards. Now the process begins from the principle of risk as defined in ISO 31000 which is "risk is the effect of uncertainty on objectives".
So step number one, is identification of the business's objectives. Step number two is to identify the operating model, the key processes that need to be working to be able to deliver against those objectives and only now can we then go to step three, identify the risks that could cause the operating model to file or not deliver the expected outcome.
Once we've identified the risks, we then need to assess the risks typically using likelihood and impact. Once we've assessed and analysed the size of risk, we need to evaluate it against our risk appetite, risk evaluation and determine whether we need to make any improvements if it is outside of appetite.
If we do need to make improvements, this allows us to identify any issues, risk assessment control weaknesses, and control gaps and from there, we can identify the actions required to remediate those. This then moves us onto this process being repeated on a periodic basis, ongoing monitoring, and review. And finally, the importance of recording and reporting the risk assessment. This is often done on a traffic light report using red, amber and greens.
They're the basic building blocks of the risk assessment process.
So please check out our other videos and blogs in helping you build a strong enterprise risk management process. So hopefully, we'll see you later and until next time, take care.
Do you use Inherent Risk in your risk control self assessment framework? Learn professional hacks for dealing with the common issues around this level of risk and more at our live webinar. Click below to register today:
David Tattam is the Chief of Research, Knowledge and Consulting and co-founder of the Protecht Group. David’s vision is the redefine the way the world thinks about risk and to develop risk management to its rightful place as being a key driver of value creation in each of Protecht’s clients. David is the driving force in driving Protecht’s risk thinking to the frontiers of what is possible in risk management and to support the uplift of people risk capability through training and content.