by Curtis Thompson, CPA.CITP, CISA

Tom Cruise starred in the 80’s movie Risky Business about a young man taking advantage of the freedom he found when his parents went away on a trip. He found that running around with shady characters leads to a world of troubles.

While we can’t slide across the floor in our Ray Bans and rock out, there is still a lesson to learn from the film.  In business you must try to manage the risks you face.

First you must ask yourself what is your risk appetite?  You deal with risks in your everyday life.  Do you like to sky-dive and go whitewater kayaking or are you comfortable with driving your Volvo to the park and watching the birds?  Some people are willing to take big risks for the thrill of the moment or for the big rewards while others enjoy the comfort of stability and safety.

No matter your appetite for risk, you have to deal with it.  At a high level, you deal with risk in one or more of the following ways:

• Avoidance:  Eliminating the risk by either never entering into the activity or ending your participation in the activity.
• Reduction:  Mitigate the risk in the activity or by optimizing the activity through controls and improved processes.
• Sharing:  Transfer all or part of the risk to others through joint participation in the business or through insurance.
• Retention:  Acceptance of the residual risks.

Today, Enterprise Risk Management (ERM) seems to be the topic du jour of most business executives and board rooms. ERM is many things.  It is the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives.  It provides a framework for the managing risk.  The International Organization for Standardization developed ISO 31000 in 2009 – Principles and Guidelines on Implementation and ISO 31010 – Risk Management – Risk Assessment Techniques to assist organizations by providing guidelines on risk management.

So, how do you get started?  For most organizations the starting point is the Risk Assessment.  This can be a daunting task but it is critical in understanding the risks to your business and how to deal with them.  By systematically collecting the risks that threaten all of the areas of the business management can evaluate them, decide how to deal with them, and finally prioritize mitigation efforts.  All businesses face limited resources, whether it is time, staff, or money.   The risk assessment process will help management to spend these limited resources in the most effective manner.

Once all risks are identified, you will need to evaluate and rate them.  This is generally completed with some numeric rating system.  I prefer a scale of 1-10 rather than a High-Medium-Low type of scale to provide a more granular rating that will allow a greater ranking.

You also need to think about how it should be rated.  Most experts will tell you that it must include both a rating for likelihood and impact.  These are very different ratings.  Think about assessing the risk of someone hacking into your network.  What is the likelihood?  You have a firewall, your network was implemented by knowledgeable professionals, and it is tested regularly for vulnerabilities.  Your likelihood of an attack is fairly low.  But what if someone did break into your network?  What if they accessed your customer records, your bank account information, or the plans for your next product?  The impact to your company would be very high.  You could lose the confidence of your customers, your bank account could be drained, and the new product you planned could be undermined so that it loses all of its competitive advantage.

If you use both of these ratings you can then develop some type of composite rating.  ISO 31010 defines the Composite Risk Index as being the product of the impact of the risk times the probability of its occurrence.  This index could be modified to include other rating such as reputational risks, legal risks, etc.  You could also weight each of the risk ratings to take into account how important certain risks areas are.  My suggestion would be to start with the minimum: Impact and Likelihood.

A great way to document the risk assessment is through a matrix.  Each row would represent a different risk with the columns representing the ratings and justification or explanation of the ratings.  The matrix could then be filtered in the order of the composite rating which would allow for the prioritization of your efforts.

Tom Cruise’s character takes a high-risk move and turns his parents’ house into a brothel to pay to repair his father’s Porsche (he wrecked it even though he wasn’t supposed to touch it).  He needed a lot of money in a short amount of time so he was willing to take on the risk.  If he had assessed all the risks involved in the venture he may have concluded that turning the house into a brothel would increase the likelihood of someone burgling the house (which they did).  As typical in Hollywood, all ended well with him getting everything being returned before his parents got home, he got the girl, and was accepted at Princeton.  In real life, things don’t always end up the way you want.  If you want to avoid bad things happening then you have to plan for them and put the controls and processes in place to avoid problems.