Re-evaluate your risk assessment regimeby
Management accountant and Great British Bake Off star Makbul Patel explores the intricacies of risk assessment on a corporate level.
I get bored very easily. I have been cursed with an extremely low attention span. Honestly, I am like a five-year-old child at times. My mind doesn’t stay still.
Over the years I have tried to engage with many activities that take me away from the dry numbers of accountancy just to keep the grey matter functioning. We all need something. Years ago, I joined an amateur dramatics society. What an experience that was - stage management and acting. Time of my life. Both my confidence and attention seeking went into stratospheric levels, dahling.
This time last year I was just about kicked out of the Bake Off tent. My adventure had come to an end. Roll out whatever cliché you want but I don’t think I will ever experience anything like that again. Ooh, the glamour.
Before going into the tent each baker was given all the themes for the weeks and the baking challenges (asides from the technical, of course). We were fortunate enough to be given masses of ingredients and for some of the recipes, the equipment also. For example, we were provided with an ice cream maker for the 80s week.
But all too soon after casting my eyes over the opening paragraph of the baking specs, my adrenalin gave way to the evil spectre of boredom. How many times do I have to make a genoise sponge? I had ganache coming out of my ears. The kitchen was in a constant mess. I was getting tired of cleaning. The food wastage was breaking my heart. I kept practice to a minimum and once I had got to grips with the brief I only baked when necessary, making sure all the products were eaten.
I also had to assess the likelihood of my progression in the tent each week. I knew the limitations of my ambition and my talent. Basically, I had to do a risk assessment for each week.
What was the likelihood of my progression, and was I bothered if there was none?
Which brings me neatly onto the subject of risk assessment on a corporate level. Risk analysis is crucial for every organisation and steps should be taken to eliminate the risks or mitigate them.
Risks can impact the following:
- Health and safety
- Delivery of the service
- Reputation of the organisation
The list isn’t meant to be exhaustive.
It was thrilling for me to get involved with the Risk Register at an organisation that had a national reach. Okay, maybe thrilling is overdoing it but the risk register was off the beaten management accountancy path. It broadened my financial horizons; no matter how inward looking we as a finance department may have been, there were always more important aspects to the running of the business.
For some organisations, the maintenance of a risk register is a legal requirement. For smaller firms it is highly recommended.
Risk is a very subjective item. It isn’t something quantifiable or consistent. A trapeze artist sees the risk of falling considerably less than someone like me who has trouble getting out of bed each day. So the risk has to be managed and assessed based on the organisation’s perspective.
To make the risk quantifiable, it needs to be broken down into how it can impact the company and its stakeholders. When I have been involved with the risk register the broad categories were as follows:
- The inherent value of the risk (probability)
- The current risk (with controls in place)
- Severity of effect if the incident were to happen
Each broad category is given a score between 1 and 5 – 1 being low risk or impact, 5 being high impact. For example, for an IT company or department the risk of power failure can be quantified as:
- Inherent value of risk – 5 (power outage is a real threat)
- Current risk – 2 (There is a backup generator)
- Severity of risk in its current threat – 3 (hard copy back ups, outsourced IT section)
The total risk value is therefore 5 x 2 x 3, which equals 30. The company would have to benchmark the threshold as to the severity of the risk.
Maybe anything with a score of 25 upward needs urgent attention. What could the IT section do to reduce the risk? It could totally outsource the IT, in which case the risk has been transferred to someone else. They could also adapt to be more dependent on cloud based applications, so if power was to go down the data and security of the company would be kept intact.
Each risk must be identified, dated and assigned ownership so it can be addressed and assessed at regular time intervals. This is where I came in. I’m no expert on the risk of the company – my main objective was to see what was high and medium risk and then harass the manager responsible to reduce the risk.
There are pros and cons to the risk register. The main disadvantage is that it is sometimes perceived as a bureaucratic and tedious exercise. Managers see it as a diversion that takes them away from their day to day work. As a result, they only give it scant attention and tick the boxes without careful thought.
However, there are many advantages. The main and most obvious one is to reduce and eliminate the impact on health and safety. Whether the risk is on a piece of paper or identified in the processes it must be taken seriously, or else there is a shed-load of legislation just aching to get you in the courtroom.