Value is a function of risk and return. Every decision either increases, preserves, or erodes value. Given that risk is integral to the pursuit of value, strategic-minded enterprises do not strive to eliminate risk or even to minimize it, a perspective that represents a critical change from the traditional view of risk as something to avoid. Rather, these enterprises seek to manage risk exposures across all parts of their organizations so that, at any given time, they incur just enough of the right kinds of risk—no more, no less—to effectively pursue strategic goals. This is the “sweet spot,” or optimal risk-taking zone.
That’s why risk assessment is important. It’s the way in which enterprises get a handle on how significant each risk is to the achievement of their overall goals.
To accomplish this, enterprises require a risk assessment process that is practical, sustainable, and easy to understand. The process must proceed in a structured and disciplined fashion. It must be correctly sized to the enterprise’s size, complexity, and geographic reach.
While enterprise-wide risk management (ERM) is a relatively new discipline, application techniques have been evolving over the last decade. The purpose of this paper is to provide leadership with an overview of risk assessment approaches and techniques that have emerged as the most useful and sustainable for decision-making. It represents another in a series of papers published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) aimed at helping organizations move up the maturity curve in their ongoing development of a robust ERM process.
Within the COSO ERM framework, risk assessment follows event identification and precedes risk response. Its purpose is to assess how big the risks are, both individually and collectively, in order to focus management’s attention on the most important threats and opportunities, and to lay the groundwork for risk response. Risk assessment is all about measuring and prioritizing risks so that risk levels are managed within defined tolerance thresholds without being over-controlled or forgoing desirable opportunities.