Page 356 - COSO Guidance Book
P. 356

14   |   Risk Assessment in Practice   |   Thought Leadership in ERM



        Prioritize Risks

        Once the risks have been assessed and their interactions   by vulnerability. Second, the ranked risk order is reviewed
        documented, it’s time to view the risks as a comprehensive   in light of additional considerations such as impact alone,
        portfolio to enable the next step – prioritizing for risk   speed of onset, or the size of the gap between current and
        response and reporting to different stakeholders. The term   desired risk level (risk tolerance threshold). If the initial
        risk profile represents the entire portfolio of risks facing   ranking is done by multiplying financial loss by likelihood,
        the enterprise. Some entities represent this portfolio as   then the final prioritization should take qualitative factors
        a hierarchy, some as a collection of risks plotted on a   into consideration.
        heat map. Entities with more mature ERM programs and
        quantitative capabilities may aggregate individual risk   Hierarchies and Rolling Up and Drilling Down
        distributions into a cumulative loss probability distribution   The simplest way to aggregate risks is to organize them
        and refer to that as the risk profile.            according to a hierarchy. This is often done in risk
                                                          management systems where risks can be organized by
        Similar to assessing risks, ranking and prioritizing is often   organizational unit, risk type, geography, or strategic
        done in a two-step process. First, the risks are ranked   objective. The better systems allow users to roll up and drill
        according to one, two, or more criteria such as impact   down for analysis and reporting. This provides a complete
        rating multiplied by likelihood rating or impact multiplied   listing of the assessed risks but does not help with prioritizing.

          Exhibit 5: Risk Hierarchies

                Risk Hierarchy by Org. Unit                       Risk Hierarchy by Risk Type

         Enterprise                                 Enterprise

                  Business Unit 1                            Strategic

                            Risk ABC                                  Risk ABC

                            Risk DEF                                          Risk ABC in Bus. Unit 1

                            Project 1                        Financial        Risk ABC in Bus. Unit 2

                                   Risk UVW                           Risk DEF
                                   Risk XYZ                                   Risk DEF in Bus. Unit 1

                            Project 2
                                                                      Risk GHI
                                   Risk UVW                                   Risk GHI in Bus. Unit 2
                                                            Operational
                                   Risk XYZ
                                                                      Risk UVW
                 Business Unit 2
                                                                              Risk UVW in Project 1
                            Risk ABC
                                                                              Risk UVW in Project 2
                            Risk GHI
                                                                      Risk DEF
                            Risk JKL
                                                                              Risk DEF in Bus. Unit 1
                                                            Compliance

                                                                      Risk n . . .






        w w w . c o s o . o r g
   351   352   353   354   355   356   357   358   359   360   361