Risk management is a full-time, ongoing endeavour for organisations in today’s business world, and it poses constant challenges. Unfortunately, fraud, bribery and corruption are major factors affecting businesses and agencies of all sizes and industries. Being proactive against these risks can mean the difference between success and ruin. Whatever your reasons or motivations might be, if your organisation’s objective is to have an effective risk assessment management strategy in place. This article discusses the importance of Risk Assessment. There are two important building blocks that form the core of risk management:
- Risk assessment
- Risk treatment
Each of these stages can stand on their own – in this article we will go into detail about best practices for identifying risks, how to analyse them in terms of probability and severity, and how they can be evaluated in terms of the company’s risk appetite.
What is Risk Assessment?
Risk assessment is the overall process of identification, analysis and evaluation of any given risk. It can be a systematic examination of a task, job or process that a risk professional carries out at work for the purpose of identifying significant hazards. For example, the risk of someone being harmed and deciding what further control measures to take to reduce the risk to an acceptable level. The process will vary between organisations, but it should start with identification of hazards, analysis of who and what might be harmed, evaluation of the risk, documentation of the risks, taking action and review. Your organisation should conduct a risk assessment systematically, interactively and collaboratively, drawing on the knowledge and views of stakeholders. It should use the best available information, supplemented by a further inquiry as necessary.
Risk assessment breaks down into:
- Step 1: Identification
- Step 2: Analysis
- Step 3: Evaluation
Business Intelligence (BI) Solutions can help during this stage. BI take many shapes and forms in today’s complex business environment. Budgets are stretched and the challenges facing a business and its employees can sometimes lead to issues that start off small, but then lead to wider spread problems which can affect the very fabric of your organisation and damage both your credibility, reputation and bottom line profits. CRI® Group takes two approaches to BI solutions:
- Intelligence operations (via market research and analysis): we focus on researching the future and potential growth of your business – i.e. determine the commercial viability and potential for success in the market, analyse consumer behaviour and business trends in that market, etc.
- Investigative operations (via commercial investigations): we focus on the current status of your business – i.e. location of assets, financial information, identification of unmet needs of any market, gauge brand awareness and identity in the market, etc.)
The purpose of risk identification is to find, recognise and describe risks that might help or prevent an organisation achieving its objectives. Relevant, appropriate and up-to-date information is important in identifying risks. The organisation can use a range of techniques for identifying uncertainties that may affect one or more objectives. The following factors, and the relationship between these factors, should be considered:
- Tangible and intangible sources of risk;
- Causes and events;
- Threats and opportunities;
- Vulnerabilities and capabilities;
- Changes in the external and internal context;
- Indicators of emerging risks;
- The nature and value of assets and resources;
- Consequences and their impact on objectives;
- Limitations of knowledge and reliability of information;
- Time-related factors;
- Biases, assumptions and beliefs of those involved.
Your organisation should identify risks, whether or not your sources are under your control. Consideration should be given that there may be more than one type of outcome, which may result in a variety of tangible or intangible consequences.
Risk analysis allows you to understand the nature of risk, its characteristics and level. Because an event can have multiple causes and consequences and can affect multiple objectives a risk analysis should involve a detailed consideration of uncertainties such as risk sources, consequences, likelihood, events, scenarios, controls and their effectiveness.
Risk analysis can be undertaken with varying degrees of detail and complexity, depending on the purpose of the analysis, the availability and reliability of the information, and the resources available. Analysis techniques can be qualitative, quantitative or a combination of both, depending on the circumstances and intended use. Risk analysis should consider factors such as:
- The likelihood of events and consequences;
- The nature and magnitude of consequences;
- Complexity and connectivity;
- Time-related factors and volatility;
- The effectiveness of existing controls;
- Sensitivity and confidence levels.
A risk analysis is likely to be influenced by a wide range of variables, from any divergence of opinions, biases to perceptions of risk, from judgements, quality of the information used to the assumptions and exclusions made and any limitations of the techniques and how they are executed. These influences should be considered any risk analysis, documented and communicated to any decision-makers involved in the process.
It is important to remember that any highly uncertain event can be difficult to quantify, and this is an issue. If you find yourself in such a situation, using a combination of techniques generally provides greater insight. Risk analysis provides input to risk evaluation, to decisions on whether risk needs to be treated and how, and on the most appropriate risk treatment strategy and methods. The results provide insight for decisions, where choices are being made, and the options involve different types and levels of risk.
Risk evaluation can support your decisions. Risk evaluation involves comparing the results of the risk analysis with the established risk criteria to determine where additional action is required. This can lead to a decision to:
- Do nothing further;
- Consider risk treatment options;
- Undertake further analysis to better understand the risk;
- Maintain existing controls;
- Reconsider objectives.
Any decisions should take into account the wider context and the actual and perceived consequences to external and internal stakeholders. The outcome of risk evaluation should be recorded, communicated and then validated at appropriate levels of the organisation.
Who should do risk assessments?
Well, by law, every employer must conduct risk assessments. Risk assessments should always be carried out by a professional who is familiar to risk, a person who is experienced and competent to do so. Competence can be expressed as a combination of knowledge, awareness, training, and experience. Remember competence does not mean you have to know everything about everything, competence also means knowing when you know enough or when you should call in further expert help.
But we all like to think that all of our employees will be trustworthy, but this is not always the case. There have been many instances in which an employee has been dishonest about their job history, qualifications or even criminal history. A dishonest employee could be unqualified for the position, possibly endangering others on the job. Or they might be a fraud risk, willing to bend the truth in other ways in order to enrich or advance themselves on your dime. No organisation can afford to have employees or staff who aren’t what they claim to be. Even a seemingly innocent embellishment can indicate more background problems under the surface, and the potential for future problems down the road so remember, trust your employees but, verify them too.
Risk Assessment and ISO 31000 certification with ABAC®
While the team at CRI® do not deliver any training or certification on ISO 31000, our partner ABAC® Center of Excellence do. ISO 31000 can provide the principles, framework and a process for managing risk. ISO 31000 is not a certifiable standard; the standard is a set of guidelines which provide guidance for internal or external audit programmes. However we recommend taking ISO 31000 Awareness training, this will enable you to fully understand Risk Management activities and mitigate risk.
ISO 31000 was developed by hundreds of experts in risk mitigation, from thirty countries. This international effort produced a standard that is worldwide and represents best practices and leading operations for risk management. Organisations can trust that they are following a tested, robust standard to increase success. The standard converts risk management into a set of “friendly” and actionable – and straightforward to implement – guidelines, regardless of the size, nature, or location of a business.
The training helps establish an ethical culture by educating your personnel on the following:
- What constitutes fraud, corruption, and bribery, and why these are so damaging to business
- How to identify red flags of fraud, corruption, and bribery
- The process for reporting fraudulent and unethical acts
- The organization’s zero-tolerance attitude toward unethical behaviour and willingness to terminate employees for breaches, and prosecute unethical acts
- The serious ramifications for committing fraud or bribery, the legal consequences, and the negative impact on one’s career
The ISO certifications helps us at ABAC® to provide appropriate anti-bribery training to personnel across various industries. This standard helps to assess bribery risks, perform the appropriate due diligence required for your business and to take reasonable and proportionate steps to ensure that controlled organizations and business associates have implemented appropriate anti-bribery controls.
While CRI® may not offer the ISO certification, we do offer other services. We specialise in solutions regarding compliance, working as trusted partners to businesses and institutions across the globe. Our experts work with energy, insight and care to ensure we provide a positive experience to everyone involved – clients, reference providers and candidates. CRI’s unique identity and vision evolved from our fundamental desire to support our clients and their candidates, thus creating the DueDiligence360™.
The DueDiligence360TM reports to help organisations comply with anti-money laundering, anti-bribery, and anti-corruption regulations. This service also proves beneficial ahead of a merger, acquisition, or joint venture as it can be used for a third-party risk assessment, onboarding decision-making, and identifying beneficial ownership structures. Identifying key risk issues clearly and concisely helps enhance your knowledge and understanding of the customer, supplier, and third-party risk, helping you avoid those involved with financial crime.
Why not consider our background investigative solutions? Employee Background Checks can aid in reducing the risk of hiring an employee who does not live up to their supposed skill set and could cause irrevocable damage. Firms spend years, thousands, even millions to brand their products and services – it only takes one bad hire to cause loss of capital and reputation. It can go as far as bringing a business to fail – especially if the employee holds malice towards the organisation. EmploySmart™ is CRI’s own solution aiming to expose vulnerabilities and threats within your organisation. Much like the ISO certification, our EmploySmart™ is a risk management measure which can be used to significantly reduce business and financial crime, fraud and malpractice within your workplace.
Our solutions are also certified by the British Standard Institute BSI for the scope of BS 7858:2019 Screening of individuals working in a secure environment, Code of practice (the only BS 7858 certified background screening services provider in the UAE and across the Middle East); and BS 102000:2018 Code of practice for the provision of investigative services.
Another risk management solution to consider from CRI® is our Third-Party Risk Management solution (TPRM), also known as 3PRM™. In wake of the global pandemic, the 3PRM™ was developed in a bid to aid organisations to accurately determine the legal compliance, financial viability, and integrity levels of external parties, vendors, and customers who seek to be affiliated with and represent the business.
The 3PRM-Certified™ program consists of gap analysis and investigative due diligence on the targeted above parties. This highly thorough program reveals anti-corruption, compliance and risk management discrepancies associated with the international regulatory framework helping your business to flourish at any scale. Find out more about CRI Group’s Solutions here.
If you’re unsure of what solution may be best for you and your business, how about connecting with one of our experts for a free consultation? Receive tailored advice from the top analysts and investigators across the globe.
About CRI® Group
Based in London, CRI® works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI® also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.
In 2016, CRI® launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI® Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.