How to evaluate risks in your company?

Risk Evaluation is the process used to compare the estimated risk against the given risk criteria so as to determine the significance of the risk.

Managing risks in a company starts with a decision to strategically manage risks organization-wide. Risk management team or executive(s) who is(are) responsible for implementing the process must first put together a plan that comprises all the elements that impact risk management process and assemble a team to execute the plan.

What steps should be included in a risk management plan?

An effective risk management plan and following process takes a few steps to achieve. An overview of those processes can be summarized in five steps below.

Silver Bullet Risk - BLOG - ERM - Enterprise risk management

1. Risk management team
First, a risk management team or an individual responsible for the risk management process must be appointed. Usually, the bigger the company, the bigger the team, as more departments are involved in a larger organization. And as risk management culture dictates involvement of all stakeholders in a company, teams can get broader, but the core risk management team holds the process together.

2. Analysis
The whole organization is under the scrutiny, as risks can be known or unknown anywhere in the company. Thorough investigation must be commenced, involving all departments, all organizational and business processes; and all stakeholders who impact the risk assessment.

3. Identification of risks
Recognizing risks can be a daunting task, as some processes are not obvious to be open to risk impact. The goal here is to treat all the processes as risk-prone and later inspected, what kind of risks and if, at all, are possible for impact.

4. Prioritization of risks
When we have all the risks identified, they must be sorted in various ways, according to their impact on organization. Risks with bigger impact have of course higher priority.

5. Monitoring the risk
Strategy is only as good as it is executed. So is monitoring of business processes or in this case, monitoring risks that are identified in an organization.

Silver Bullet Risk - BLOG - ERM - Enterprise risk management

One of the important steps, outlined in this blog, is evaluation of risks. It’s the step where risks are measured and compared through various factors. Risk evaluation allows you to determine the significance of risks.

Evaluation of risks can be done in a various ways, using all sorts of tools and methods. One of the most efficient ways is to sort the risks by scoring and prioritizing them.

Scoring the risks

Scoring (or ranking) is usually mapped with parameters on impact (or consequence) and probability of each risk.

Impact: Every risk is assessed on the impact it has in case of materializing and what kind of consequence does it present in a company. Low impact risks don’t have any significant impact on business processes or organization at large. High impact can alter the course of business, they have impact on company success or even failure.

Probability: In this scoring processes risks also get an assessment form low to high. Low probability risks are the ones who are considered (almost) never to happen. High probability means they are likely to happen and must be considered in any case in the future.

Prioritizing risks

After scoring all the risks, it’s time to cross-match impact and probability. Not every very probable risk has a big impact on the company, and not every risk rarely occurring poses just a small impact.
That’s why it’s useful to develop a grid map with impact level on one axis and probability level on the other (Risk grid map).

Silver Bullet Risk - BLOG - ERM - Enterprise risk management

The approach of prioritizing risks results in a risk grid map for developing 4 mitigating strategies.

Low impact & Low probability
With both scores low, risks are not actively mitigated, but mostly only monitored.

Low impact & High probability
This strategy proposes mitigating risk through reducing the frequency of occurrence.

High impact & Low probability
Although probability of risks materializing is low, it can have big impact if or when it occurs. That’s why reducing the severity of risk happening is advised.

High impact & High probability
These are the kind of risks we most definitely don’t want to meet and we want to avoid them. Strategy here is to reduce the severity of impact and to reduce the frequency of an occurrence.


For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.