Risk mitigation means making the direct (money lost) or indirect (e.g., reputational) impact of a risk less severe.
Risk is not inherently bad and risk-taking leads to rewards and often has a potential of success for a business. Risks should be mitigated to a level, which aligns with the overall strategy of the organization.
The ”guiding light” for the amount of residual (risk left when mitigation has been applied) an organization should take on should be described in a risk appetite from the board of directors.
Risks can be accepted as is if they are within the risk appetite or mitigated in the following ways:
Avoided: Do not conduct the activity associated with the risk. If the risk of doing business in, for instance, a certain country or industry does not outweigh the reward, get out of the country or industry and focus on areas where the reward outweighs the risks.
Transferred: Move the risk out of your organization. If the risk seems to outweigh the reward or if the risk involves activity outside of your core area of business, the activity can be outsourced to another organization or insurance can be purchased to transfer the impact of a risk.
Controlled: A control is any activity, guideline, or system that minimizes the risk from occurring. A control can either be preventive or detective and manual or automated.
Implementing controls can either lower the likelihood of a risk occurring or the impact if the risk does occur.
Note: A control costs money and a risk can be over controlled. When designing a control environment, it is essential to see controls in the context of the entire value chain, and not just in the context of a single business area or process. In mature organizations conducting holistic risk assessments will often lead to cost savings and opportunities to be more efficient as too many controls are in place. A focus should be on having few but good key controls in place across value chains.
The following provides a guideline for how to categorize and describe controls.
Preventive and Detective Controls: Does the control prevent the risk from happening or detect the risk if it does occur. If cash is kept on a table a locked door is a preventive control and a camera is a detective control.
Manual or Automated Controls: Does the control happen as a manual step in a process or is the control automated in a system. If too many zeros are added to an amount this can be caught manually by having someone else review the data input or it can be caught by a system by having tolerance levels programmed.
Key Controls: A key control is relied upon to prevent the risk from occurring, or detect the risk when it has occurred.
General Controls: General controls are not specifically relied upon to minimize the risk, but contribute to the prevention or detection of the risk. Hiring good and honest people and having a good risk culture are examples of general controls which are important but not key to any specific risk.
When describing controls, it is essential to use a uniform way of writing, which can be applied across the entire organization. The following is an example of how to write a control:
1. Who – The employee/area or system performing the control
2. Which – The “control word” e.g. alerts, approves, automatically, confirms, monitors, reconciles, reviews, tests, validates, verifies
3. What – The information the control is performed on
4. When – The trigger, timing and/or frequency of performing the control
5. Why – The outcome/reason for performing the control
6. Action – the action taken if the control catches an issue
Example of a control written in the above format: A trader reviews the daily trade report at the end of the day to ensure trading data is accurate and alert the broker and the back office for corrective actions if the data is inaccurate.
Focus on enterprise risk management.
Unfortunately, most organizations come up with different ways to assess risk and describe controls depending on the areas involved. This leads to inefficiencies and lost opportunities in leveraging and aggregating information across the organization. If, for example, the head of audit and the Chief Risk Officer have different ways of describing key controls opportunities to work together and add value to the organization will be lost. Each organization should only have one way to manage risk.
Develop a one-page dashboard to report on and monitor risk on an ongoing basis.
Combine process development and maintenance with risk assessment. Successful risk mitigation involves assessing and implementing processes and controls at the same time.
Our advisors have experience developing risk management frameworks across the globe and can help you tailor a risk management framework suited for your organization.