Question asked by
AFERM Experts Say...
There is no standard form for developing a risk assessment report. While various sources indicate elements that may find a home in such a report, one might expect no standard exists because assessment reports can be written for different audiences with different information needs.
Understanding what might go into a risk assessment report should thus begin with an understanding of the needs of those for whom the report is intended. ISO 31000 defines risk assessment as the combination of risk identification, analysis, and evaluation, but does not include risk treatment. Are we looking only to report information on the assessment of risks (as suggested by the wording of your question), or are we also seeking to report on the implementation status of selected risk treatments, and the resulting risk after treatment? The more inclusive reporting of risk treatment status is required if the report is to be used by management to monitor risk treatment activities, and ensure that the targeted levels of risk resulting from risk treatments is actually achieved. If your report is to share newly identified risks, then there would be no need to include risks previously identified. However, if the intent is to communicate the organization’s ongoing level of risk and corresponding risk treatments, then understanding the full set of key risks is critical.
I would propose the following elements for any risk assessment report:
· Objective to be achieved (remember that risks by definition do not exist in isolation, but are linked to a specific objective.
· Name of risk
· Classification category of risk
· Risk appetite for the risk classification
· Likelihood/probability (of current risk)
· Consequence/impact (of current risk)
· Risk rating (prioritization based upon consideration of consequence and likelihood)
· Selected treatment (Accept, Avoid, Transfer/Share, or Mitigate/Reduce, and also Enhance if intentionally increasing risk to seek opportunities).
· Likelihood/probability (projected after completion of selected treatment)
· Consequence/impact (projected after completion of selected treatment)
· The basis for selected risk treatment (considerations of consistency with desired risk appetite, and cost-benefit analysis of various responses for treating any particular risk).
· Risk owner (the person responsible for determining the acceptability of the risk, selecting the appropriate risk treatment, and ensuring completion of the risk treatment).
If this report will also be used to monitor the actual implementation of the selected risk treatment, I would propose also including the following:
· Date risk treatment projected to be completed.
· Current status of treatment (or indication of completion)
Too often organizations consider risk in a very informal, ad hoc manner. Effective risk management requires meaningful reporting and monitoring. Formal risk reporting will be important to any organization seeking to truly manage risks in an effective manner. A full understanding of an organization’s risks will require inclusion of newly identified risks as well as ongoing risk treatment activities previously assessed.