Risk and control 101
Risk and control is a natural consequence of running a business, as performing business entails risks. For example, when selling a product, there will be the cost of producing the product, and there will be a risk of a loss in case the customer cannot pay for the product. However, the above risk is a calculated risk, as you cannot run a business without accepting some of your risks.
Not every risk is significant and risks can be handled in various ways. The significance of a risk can among others depend on its impact and likelihood, which in turn can affect the response required.
Several approaches can be used when handling a risk. Not all risks should be dealt with, and one approach is to accept the risk and do nothing but follow its development. Another approach is to avoid the risk, if possible, in case the risk has a large and damaging, potential impact. This can either be done by removing what causes the risk or by transferring the risk to someone, somewhere or something else. A third approach is to mitigate the risk by either lessening the impact of the risk or mitigate against the likelihood of the risk becoming a reality.
As risks should be dealt with, businesses should assess which risks are crucial to the business and what control principles could manage them. A template for assessing risk and control should include:
- Assessment of business risks and what control principles could manage these risks
- Assessment of whether the design of the controls in place is sufficient to mitigate risks
- An overall assessment of whether the design and functionality of the controls is sufficient in managing the identified risks
Assessment of the control principles could involve risk appetite, ownership, priorities and key risk indicators. It could also involve internal and external research, and discussions with business managers and the risk division. Though assessing control principles is optional, it is good practise because it helps organization identify what they believe should be in place before assessing the actual controls in place.
Handling risks effectively
Impero has developed a risk map that offers an easy but powerful way of visualizing an organization’s processes and related risks. Users can list their risks in terms of impact and likelihood and add controls to mitigate these risks. The risk maps can be used at different levels such as on an organization in general or on a country or department level. By mapping controls to risks, organizations will gain valuable insights and an overview on how well their risks are covered.
Impero is a Danish software company that offers an intuitive cloud-based compliance solution with a unique and light-weight approach. The solution is helping companies stay in control in various areas including risk and control, control self-assessment, SOX compliance and tax control framework software.
Try out Impero today, get a free trial here. Start your fully functional 30-day trial right now and dive into Impero’s solution. We’ve got tutorials to help you get started.