How to Build a Dynamic Risk Assessment

How to Build a Dynamic Risk Assessment

This article originally appeared on EY Insights. Stay tuned for a second article deep dive into GE’s journey with a data-driven dynamic risk assessment. Learn more about Dynamic Risk Assessment solutions powered by AuditBoard and EY here.

Do you know what must go right to achieve your organization’s strategic objectives? Are you able to identify what could go wrong before it happens?

We’ve introduced the connected risk approach and discussed the importance of beginning with an integrated risk taxonomy to harmonize your risk management activities across the three lines of defense. The next step is to execute a dynamic risk assessment composed of:

  • Diverse qualitative and quantitative inputs to reduce reliance on judgmental analysis
  • Data-driven aggregation and prioritization methods to reflect a rapidly changing environment
  • Modern tools and technology to enhance output and reduce manual effort

 Dynamic risk assessment has four phases: orient, identify, prioritize and respond.

Orient Your Mandate to Better Manage Risk

From whatever perspective that you’re reading this, “orient” is a critical first step to understand the scope of risks you’re assessing and your function’s mandate with respect to managing those risks. This will determine where you source data, how much emphasis to put on each type of input, and who needs to be consulted and/or informed during the process.

Each risk, compliance and assurance function is likely to have its own assessment process; too often, these assessments are done in silos and not shared across the enterprise. Leading organizations are moving toward enterprise assessments, but that doesn’t mean one risk assessment to rule them all — in fact, quite the opposite. Each function independently assesses through its lens and shares the output across the three lines. When this is done collaboratively, the risk ecosystem thrives on an integrated taxonomy and a comprehensive view of the top risks facing the company.

Identify Risk Through Data-Driven Inputs

The “risk then data, or data then risk?” conundrum has plagued the risk assessment process for years. Historically, companies have conducted interviews to identify risk, then found data to substantiate the risk. Today, organizations must leverage internal and external data to identify a broader set of rapidly changing and emerging risks in addition to what management has identified. 

Dynamic risk assessment incorporates four types of inputs, including:

1. Qualitative assessment – balancing interviews and data

Qualitative assessment is the risk professional’s subjective determination of likelihood, impact and velocity of a risk occurrence based on data consulted, current factors and general knowledge of the business. This inherent risk quantification is offset by qualitative review of management preparedness or control effectiveness to produce a residual risk rating. 

Interviews remain a valuable source of information for qualitative analysis; however, they must be balanced with data-driven inputs to produce a truly dynamic risk assessment. Leading organizations are utilizing modern tools to drive efficiency and deeper insight, reaching greater audiences in facilitated sessions and turning feedback from interviews into structured data inputs.

2. Quantitative metrics – deriving risk from business performance

Quantitative metrics include financial, operational and other business performance indicators that are considered key to operational success. While the first line leverages these KPIs to run the business, second and third line functions turn them into key risk indicators (KRIs) by assigning tolerance thresholds and aligning to specific risks within the taxonomy.

Ideally, analytics are never built solely for the purpose of executing a risk assessment; they can and should be adapted from existing operational indicators or developed and fed back to the business as continuous monitoring.

3. Risk performance – leveraging the same taxonomy 

Risk performance refers to history and findings from internal and external audits, compliance and other assurance activities, including management’s self-reporting of issues. When functions use the same taxonomy, risk performance easily maps into the assessment process. In the next blog, we’ll dive into assurance mapping and coordinated response, the basis for your risk performance inputs.

4. External data – challenging perspective with the “bias buster” 

Notable organizations leverage external data as a bias buster to challenge the completeness and prioritization of their internal risk assessments. Many companies struggle to identify and access meaningful information; luckily, there are platforms and solutions available to aggregate multitudes of data and identify threats aligned to your risk universe. 

Organizations should consider adopting a leading risk platform that aggregates external data sources, including peer company risk factors from publicly available reports, sentiment analysis from news and social media, credit analysis, cyber health ratings, geopolitical factors (including a corruption index and AI-based country risk ratings), and publicly available information about key and second-tier business relationships (e.g., suppliers, customers, joint ventures).

Leveraging new data will likely expose additional risks, so we highly encourage a loop-back mechanism to evaluate and update your taxonomy. 

Prioritize the Risks That Matter Today

A risk assessment is considered “dynamic” when it continuously ingests new data from multiple sources to quickly identify and reprioritize emerging and increasing threats. This aggregation and orchestration is your “secret sauce,” with weighted scoring of inputs producing a composite risk score aligned to your integrated risk taxonomy (remember the snowflake structure we talked about in a previous article). Each function may weigh inputs differently based on its mandate that was established in the orient phase, and the weighting may change as new inputs become available. 

Respond to Fit Your Organization’s Risk Posture

Leading organizations leverage modern technology to enable this process on a continuous basis and expose the risk posture of the enterprise to management in real time rather than waiting for a prescribed risk assessment refresh cadence. A dynamic risk assessment that prompts the right response at the right time is critical to protect and build organizational value.

AuditBoard and EY’s joint dynamic risk assessment (DRA) solution leverages AuditBoard’s OpsAudit & RiskOversight products and EY’s third-party integrations. DRA is a robust new solution that helps organizations drive a risk-informed and intelligent audit plan through the use of internal and external risk indicators. Teams can now expand their risk assessment methodology to include qualitative, financial, operational, and external factors as well as third-line results to generate data-driven audit insights through a calculation created together by EY and individual organizations. With DRA, organizations can leverage a multi-dimensional view of risk and data-driven intelligence to evaluate threats from all sources and right-size their qualitative analysis to ensure they have an informed audit plan. To learn more, complete the form below to schedule a tailored demonstration. 


Megan Duggan is Senior Manager, Risk Consulting at Ernst & Young LLP. She helps clients navigate complex challenges and uncover insights through technology and innovative solutions that enable better decision-making. Connect with Megan on LinkedIn.


Scott McCowan is EY Americas Risk Management Leader, Consulting at Ernst & Young LLP. He helps clients embrace risk, update their risk functions, and implement risk intelligence to help protect their businesses so that they can generate fresh value and obtain a competitive advantage. Connect with Scott on LinkedIn.