For each risk, management should assess the likelihood and the extent to which the enterprise may be affected. It is only possible to effectively set priorities for action and allocation of resources if such an assessment is undertaken. Both quantitative and qualitative methods should be used to conduct risk assessment. All risks should be considered in the context of the organization's risk appetite.
Principles
> Qualitative assessment
> Quantitative assessment
> Sophistication varies based on program maturity and objectives
> Portfolio view of risks
> Make sure assessment is defensible
Business Objectives
-
To ensure that the entity periodically assesses the risk of criminal or noncompliance conduct and takes appropriate steps to design, implement, or modify program elements to reduce the risk of such conduct
-
To ensure that all identified events presenting significant risk are analyzed and prioritized
Considerations
-
Include an evaluation of both long term and short term risks
-
Include an evaluation of singular events as well as the potential effect of cumulative events
-
Risks may be inherent or residual
-
Periodic re-evaluation of assessment for changes to the risk environment and the organization's risk appetite
Critical Success Factors
-
Correctly prioritizing risks