First
Categorize the activities in the company based on the core process functionalities, for example: (Cash management process, General Accounting, Sales etc).
Second
Identify all risks that your organization might face. You can identify the risks from several internal and external sources such as: (the org policy and procedures, website, senior management inputs, the employees interviews, lows and regulations, etc).
Third
Then you need to trace these risks with processes in your organization defined in step one.
By finishing this phase you will have a table include all risks in your org connected to one or more of the processes in the org.
The logic behind this is to define the responsible party in the organization who will manage and control each risk, and will be considered accountable for the impact of this risk in the organization if not controlled properly.
However, if the risk isn't connected to any one of the processes in the organization this indicates that this risk either doesn’t affect the company or its process has been missed.
After that we need to find a tool to measure the impact of these risks on the organizations processes, this is called the risk assessment, it will be explained in the following phase.
Fourth
Assess the risks means convert it into a measurable amount, thus we should develop a measurement tool to be used in the assessment process. This tool should include all possible qualitative (subjective) factors and quantitative (numerical) factors that have effect on the risks.
Examples on some factors that migh be considered when assessing any process's risk:
A. Monetary or Financial factors: (this is an objective factor) usually assessed by weighting the amount of money involved in the process such as: (cash outflow and inflow in the process, amount of expenses paid by the process, total amount of asset involved in the process, revenue generated by the process, etc.).
The numerical weight might be ranged from 5 to 1 based on the size of the financial factors of all processes, i.e. the bigger amount of the financial factor the higher the risk thus the higher weight.
Example if we apply one factor:
Amount of asset invested on the process Weight
0m-1m 1
1m-2m 2
2m-3m 3
3m-4m 4
4m-5m 5
Note: multiple financial factors might be involved to assess the weights by build in a matrix.
B. Level of operational control, (this is a subjective factor) usually assessed by weighting the efficiency and effectiveness of internal controls applied in the process, such as: (organizational structures, clarity of policy and procedures, etc), thus a scale ranged from strong to week is the best to be applied.
Example if we apply one factor:
Policy and procedures required and applied Weight Strong 1
Moderate 2
Week 3
Note: multiple factors can by applied concurrently, and more scale can be used as well.
C. Degree of Compliance required with regard to external rules and regulation. (Subjective). Scale from High to low can be used
D. Previous audit result. It is an objective factor. The numerical weight might be ranged from 5 to 1 based on the report result for example 5 is given for non satisfactory report, 3 for satisfied expect report and 1 for satisfied report.
E. Finally, whether it’s a core process in the company or it’s a supported process. (this is an objective factor). Usually assessed by weighting the magnitude of the process in the company, for example 5 is assigned for the core processes and 4 for the second level processes and so on.
To calculate the rate of each risk “defined in the second step above” on the organization; do the following:
- Each one of the above factors will have a weight (25%, 20%, 15%, 20% and 20% respectively).
- Multiply this weight with the risk assessment result you obtained after assessing each factor to determine the rating for each risk:
The result in the RATING will be used to:
- Prioritize the risk magnitude and importance in the organization,
- Manage these risks by determining the required level of internal control to mitigate these risks into an accepted level by the senior management of the organization.
- Determine the impact of the risk on the organization by estimating the possibility of occurrence for each risk, this will be explained in the Fifth step.
Fifth
In order to have more details analysis per risk, we can add the possibility of occurrence for each risk within the process it self“It is the likelihood that the impacts of that risk will happen in the real situation and will have an effect on the company activities and increase the uncertainty of achieving the company objectives.To measure this, give the possibility of occurrence for each risk a degree of possibility such as “certainly will occur, likely, not likely, rare, and will not occur”
You can use the result of this table to draw a chart representing each risk location on the company risk appetite line
Sixth
After applying the control, the remaining risk that has not be covered by the control is the residual risk.