Tip of the Month: Risk Rating Methodologies
October 05, 2022
Did You Know?
BarnOwl enables residual risk to be derived in one of three ways, namely:
- Manually rated whereby the residual risk is manually captured by the user, informed by risk-related information.
- Control factor percentage whereby a control factor % is captured and applied to the inherent risk to derive the residual risk.
- Auto rated whereby the residual risk is calculated based on a formula taking into account the controls linked to the risk.
1. Manually rating of residual risk and dynamic risk reassessment
BarnOwl is dynamic in that it not only enables the risk owner to view everything that is linked to a specific risk but also informs the risk owner via dynamic re-assessment (and via email) of anything that has changed which affects the risk (i.e. linked controls, KRIs, child / linked risks and loss events). This method enables residual impact and residual likelihood to be rated independently taking into account preventative and corrective controls which affect likelihood and detective controls which affect impact.
Risk management is part science and part art which means that human judgement still plays a major role in the rating of risks. This method enables the risk owner to make informed decisions taking into account all risk-related facts.
In addition, BarnOwl’s dynamic risk re-assessment cascades upwards level by level from the lowest level to the highest level of the organisation keeping the relevant risk owner/s informed of a changing environment and ensuring risk registers are kept up to date.
2. Control factor rating
This enables the risk owner to manually capture a control factor % against a risk which is applied proportionately to the inherent impact and the inherent likelihood resulting in a calculated residual impact and residual likelihood. Essentially the control factor % is a gut feel estimate of the overall ‘control effectiveness’ of all controls linked to the risk.
This is a simplistic way to calculate the residual risk and depending on how it is derived (by gut feel), does not take into account the individual adequacy and effectiveness ratings of each linked control or other linked items such as KRIs, child risks and loss events.
3. Auto rating of residual risk based on a control formula
BarnOwl enables a formula to be configured based on the adequacy and effectiveness ratings of all linked controls taking into account controls linked directly to the risk or indirectly via a contributing factor. This is an automated and consistent way to rate risks, however, it does not take into account the other linked items such as KRIs, child risks and loss events which should be considered when rating a risk.
Points for Consideration
Risk management is part science and part art which means that human judgement still plays a major role in the rating of risks. Auto-rating based on controls is therefore not perfect as controls are only one criteria when it comes to rating the residual risk. Controls, loss events, near misses, key risk indicators, child risks (linked risks) and action plan progress should / must also all be taken into account when rating a risk.
BarnOwl is flexible in that it allows multiple risk rating methodologies and allows for the manual override of auto rated risks where appropriate. BarnOwl prompts the risk owner to re-rate his / her risk when anything linked to the risk changes including a full audit trail of all changes made to the risk and its linked objects.
BarnOwl supports a top-down and bottom-up approach to risk management. Risks can be identified at the various levels of the organisation (e.g. level 1, level 2, level 3 risks) and linked upwards or downwards. This means that low level process and unit risks cascade upwards facilitating up to date risk registers and reporting at a high / strategic level.
Ideally, risks should also be rated quantitatively including the setting of risk appetite per business unit as well as per category of risk (i.e. a risk you want to take where your appetite is higher such as “Growth: expanding your business” or a risk you want to avoid where your appetite is lower such as “Regulatory: non-compliance to a regulatory requirement”).
Conclusion
In many cases we try to apply a scientific formula to risk management, when risk management, by its very nature is unpredictable and relies on a number of factors as well as human judgment and past experience. We don’t pay enough attention to the quality and completeness of the risk information that is captured; the old adage ‘garbage in and garbage out’ springs to mind.
How effective is our objective and risk identification process and how complete and up to date is related information such as controls, key performance indicators (KPIs), key risk indicators (KRIs), risk interdependencies, root cause analysis, past history (incidents), near misses, key control indicators (KCIs) etc? KRIs help us to rate our risks more objectively.
It is more important to focus on the ‘quality’ and ‘prioritisation’ of the risk than get bogged down by theoretical risk rating formulae. This approach enables risk owners at every level of the organisation (bottom-up) to take accountability and make informed decisions regarding the importance of their risks within their own context (i.e at their organisational level) which then cascade upwards level by level to the highest level of the organisation.
In conclusion, by capturing the level of risk (e.g. strategic, business, operational, process) and linking risks (to objectives and child risks) intelligently, one gets a consolidated view of the organisation’s risk profile from ‘top to bottom’ as well as a detailed view at every level of the organisation.
Useful links
Some useful links:
https://api.barnowl.co.za/insights/demystifying-risk-management/
https://api.barnowl.co.za/insights/a-3-step-approach-to-implementing-risk-appetite-and-tolerance/
https://api.barnowl.co.za/uncategorized/using-unit-impact-values-to-rate-risk/
https://api.barnowl.co.za/tip-of-the-month/quantifying-risk-exposure/
About BarnOwl:
BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by over 150 organisations in Africa, Australasia and the UK. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.
Please see www.barnowl.co.za for more information.