Bizcoach, Small Business Ideas and Resources for Starting a Small Business
Risk Assessment and Internet Resources
This is a short article illustrating how the Internet can be used to support risk assessment activities.
Managers need to understand the business process and identify, measure, and prioritize business risks as an important part of management decision-making. Risk Managers and Internal Auditors are usually adept at these tasks, but often risk assessment is new to other members of the management team. The Internet has a wealth of resources for the professional Risk Manager, the Internal Auditor and the manager who needs to better understand the concepts and practice of risk assessment.
The first steps in risk assessment are understanding the business risk context, or how the business process works within an environment of risk, and identifying the types of risk that may affect operations.
Understanding the business risk context means gaining an understanding of the key interrelationships among the organization's business processes, the business culture, and the relevant external forces for change. The Internet can be used to assist in understanding the business risk context:
- News groups, lists and association web sites can be used to monitor industry trends and issues. Benchmark sites such as American Productivity an Quality Center (http://www.apqc.org), American Public Power Association (http://www.appa.org) or the National Association of Purchasing Management (http://www.napm.org) have benchmark studies (mostly focused on North America industry).
- News groups and lists can also be used to monitor specific business process trends and issues for functional areas such as planning, sales, distribution, procurement, finance, etc.
- Government web sites can be useful to monitor the trends in government regulation and macroeconomic policy. Canada and the USA are well known, but other countries have good information about public sector risk. New Zealand (http://www.govt.nz) and Australia (http://australia.gov.au/) have extensive web sites full of helpful information about social, legal, political, and economic trends. For organizations with offices elsewhere, searching the World Wide Web for "<country> government" will usually return the site addresses you need.
- Competition web sites can be useful general information for context understanding.
Risk identification is the most critical step of risk assessment. If you cannot identify it, you cannot analyze or treat it. The Internet can be used to assist in risk identification.
Risk identification has three requirements:
- A framework and common language for thinking about and discussing risk.
- A thorough knowledge of the business process(es).
- A means of stimulating your imagination about risk.
Frameworks for thinking about and discussing risk are usually developed within each organization, although some governments and private companies may follow standard models. Two national models are the Australian/New Zealand standard AS/NZS 4360 (information site at http://www.standards.com.au) and the Canadian standard CAN/CSA-Q850-97. The "Big 5" accountancy consulting firms have developed various models in support of their practices, such as the Generally Accepted Risk Principles for financial institutions (see for instance, http://www2.uk.coopers.com/coopers/financialservices/press/garppr.html) written originally by Coopers & Lybrand (now PriceWaterhouseCoopers).
Some of the ways the Internet has already been used to assist the risk identification process:
Using the Internet to gather information on the business processes. A form is created and sent via email to process owners/managers. Return email is automatically read and a database is populated with up-to-date information and self-assessments about what risks are being faced and the effectiveness of current measures to mitigate these risks. New Zealand Inland Revenue once used a manual version of this process. The Internet version is much more efficient.
Using the Internet "chat room" function for a private brainstorming session with key managers all over the globe to better understand the risks and controls in their processes.
Using the Internet to search for business process information in similar industries (see context suggestions, above).
Requesting risk assessment information on similar processes from:
- Auditors through user groups such as AUDIT-L@ADMIN.TAMU-COMMERCE.EDU and ANET@CSU.EDU.AU as well as Institute of Internal Auditors Chapter and National Institute sites (links available through IIA main site http://www.theiia.org).
- Internal audit information sites such as AUDITNET (http://www.auditnet.org) that carry lists of specific internal audit department sites for various companies and governments.
- Risk management information sites such as http://www.riskinfo.com.
- Fraud information sites such as http://www.fraud.org and the Association of Certified Fraud Examiners at http://www.cfenet.com.
- Computer security risk management sites such as http://www.gocsi.com.
The Internet is also a source for shareware and information about creativity tools necessary to "think out of the box" to identify hidden risks. One such tool is Mind Mapping.
The Internet can also be used for risk measurement. Risk measurement, is usually straightforward for quantitative data. Qualitative judgments and subjective risk factors are more difficult to handle without introducing bias. Delphi groups or other normative group techniques are used to minimize biases.
Delphi techniques involve a group of experts independently rating and ranking business risk for a business process or organization and blending the results into a consensus. Each expert in the Delphi group measures and prioritizes the risk for each element or criteria. A facilitator gathers the independent judgments and summarizes them. The summary is fed back to the expert panel along with their independent judgements, giving the opportunity for each expert to compare their judgment against the panel. The process is looped until consensus is reached. Delphi groups can be established easily on the Internet in an anyplace-anytime mode using email or Microsoft NetMeeting tools.
Far afield from risk management, market research organizations are working on Internet-based interactive data gathering and focus group techniques such as used in Control and Risk Self Assessment sessions. One product on the market is K.net (Knowledge Networks), a group decision support system using Intranet/Internet access to link and process group decision making. This system is offered by Milagro Systems, Inc.
The Internet is a rich source for risk assessment information and tools for risk management. The links to Internet resources above are provided as examples of the available information and are not exclusive endorsements of any product or service.
More Business Risk Management Info:
Risk Assessment Process
Risk Assessment and Internet Resources
Risk and Organization