Seeing the unseeable, divining the future, or painting pictures with your eyes closed — all require insight not available from “tried and true” approaches. Risk identification is similar. Internal auditors and risk managers need the ability to identify risks (or risk events) that will create unacceptable levels of variability in accomplishing an organization’s objectives. How do we identify those not currently on the radar screen? Download our PDF checklist to learn nine techniques to identify unlikely, unusual, or undefined risks.
Can We Do More Than Employ Smoke and Mirrors?
Risk identification involves consideration of the full range of risks, to allow focus on the most impactful ones. We need solid methods to do this – not rely on smoke and mirrors to confuse our stakeholders or lead them to think we are doing something useful when we are not.
Dealing with known, readily measured, and frequently encountered risks is easy. But these risks, often populating generic risk listings, have limited importance. Identifying important risks is the mandate – whether easy or hard.
Techniques to Identify Unlikely, Unusual, or Unidentified Risks
- Use your business acumen (or obtain it!) to understand risk. All risk identification starts with understanding the business – intimately. This includes both how the organization operates internally and those external factors that impact the organization. Well-developed business acumen is the starting point, not a prepopulated generic listing of risks.
- Focus first on the organization’s objectives, not its risks. Risks only matter if they impact an organization’s objectives. Cluttering your mind (and risk register) with risks that don’t matter keeps you from identifying the important risks that follow from fully understanding the business’ objectives.
- Don’t be constrained by inertia. It is tempting to start with the list of risks from last month or last year when deciding which risks demand attention now. This establishes a bias from the start and makes it difficult to branch into new areas — you “trust” the prior results. This approach leads many to dismiss a new risk as ridiculous or unlikely, characterize a new risk as a minor modification of a known risk, or ignore a risk which is not specifically known. To identify new risks, throw out last year’s list of risks and start with a blank slate.
- Look beyond your organization. Risk events an organization has lived through get permanently impressed into the minds of those who experienced them. However, your organization is not the only one subject to risk. Look at other organizations and see what risk events they have had to address — being sure to consider organizations outside your industry. Issues a government unit has addressed could point out a risk your privately-held manufacturer could also face. Just because a risk has not affected you in the past does not mean it isn’t important — leverage others’ experience.
- Consider risks that are opaque. Risk events, by definition, are uncertain and unpredictable — and can be complex. Don’t limit yourself to simple, single dimension risks. Consider scenario planning, intercorrelations, and root cause analysis to go beyond attractive simplicity. Of these three, the easiest to implement is root cause analysis. What is considered a risk can be merely a symptom of the real risk lying deeper in the organization. Instead of accepting the conventional wisdom of what is an important risk, ask again and again — “Why does this risk exist, what is causing it?” Dig deeper to make sure you have the root of the risk you are seeing.
- Take the views of executives with healthy skepticism. I worked in a large, global organization where risk events were experienced at the bottom, in the middle, and at the top. It is tempting to want to focus our efforts on “the big risks” that naturally lead us to only consider the views of the executives and high-level subject matter experts who regularly look at the organization from the 30,000-foot level. Having this as the sole focus is a mistake. Executives know largely what others tell them — which is often not the full story.
- Talk to the people who really know. Customer feedback, specific process failures, business planning exercises, unexpected financial losses, safety incidents, shifting market dynamics, etc. can all point to risks. These risks are known by those on the front line, but are often not seen from the executive level. Those who operate on the front lines see risks with a different perspective — one that needs to be heard. Seemingly small risks can morph quickly into major impact. Even high profile “surprises” were probably predictable events to many on the front line in an organization.
- Avoid groupthink. Brainstorming to come up with ideas through group interaction can be great at identifying “unimaginable” scenarios — assuming it really operates as brainstorming. Often, however, groupthink creeps in. The subtle scoffing, smirks, side conversations, and the like easily communicate that creative or unusual ideas are not to be considered. This common dynamic directly works against identifying risks that have historically been ignored. If risks are to be discussed and identified as a group, ensure groupthink is not allowed to take over and subvert the process.
- Resist pressure to acquiesce. For a variety of reasons, some people will want to hide or downplay certain risks and consider it “all good” if we fail to identify them. Internal auditors and risk managers need to push through the pretty packaging, the flowery words, and heartfelt assurances that there is nothing to see behind the curtain. Focus on the risks, not messaging driven by someone’s personal agenda.
Performing risk identification that looks for the unseeable or ignored risks requires an investment. Simple, tried-and-true processes are not sufficient. Using different methods, involving different people, and looking in uncommon directions is a lot of work — detailed work. However, failure to identify an important risk has more consequences than spending extra time on risk identification. Identifying the unlikely, unusual, or undefined risks on which you need to focus is an effort well worth the cost.
Doug Anderson, CIA, CRMA, CMA, CPA, has focused on many aspects of assurance, risk management, finance, and accounting in his career. He has served as CAE Solutions Managing Director at The Institute of Internal Auditors, Inc; was an Assistant Professor of Accounting and Finance at Saginaw Valley State University; spent 22 years at The Dow Chemical Company primarily in internal audit including 9 years as CAE; and spent 10 years with PwC early in his career. Doug has held many volunteer positions at The IIA and has participated in COSO projects, ISO committees, and the PCAOB Standing Advisory Group.