Menu Close


Business Risk Assessment Methodology

Business Risk Assessment MethodologyBusiness Risk Assessment image

Risk assessment is a fundamental component of effective risk management within any business, especially in the realm of regulatory compliance. Essentially, it involves identifying, analyzing, and evaluating potential risks that could hinder the achievement of business objectives or compliance with regulatory requirements.

1. Business risk assessment methodology refers to the approach to the assessment of risks and opportunities affecting the achievements of the organisational goals and objectives. Business risk is normally assessed at three levels. Business risk assessment at all three levels is essential to identify the THREATS, OPPORTUNITIES and potential ALTERNATIVES for action to achieve the organisational goal and objectives: Strategically: guidance is typically for a time period of 5 to 10 years, but can be as little as 1 year projected forward in a fluid environment, and assessment is usually performed by senior management and ideally, with some kind of independent facilitator. Strategic assessment is usually limited to assessment i.e. Identification, Measurement and prioritisation of risk.

2. Project/Program/Process: for current period of organisational or change management activity. Project manager or process owner is responsible for initial assessment and monitoring or may also share with an oversight committee. It is a mixture/blend of risk assessment in the planning phase and risk management in the implementation phase. Operational: in everyday operations like health and safety issues. This is performed by supervisory level or by individuals or work team tasked with a particular management. It is usually focuses on standard workplace risks and hazards have been already identified in strategic process of assessment; the task is to manage risk to get the job done.

3. Strategic Risk Assessment Methodology. Understanding of overall goals and objectives by examining of fundamental documents and classification of identified goals and objectives into SHORT, MEDIUM and LONG TERMS issues. Choosing of strategic risks that are likely to be of greatest importance:

  • Operational risk is that entity will not meet its operational goals and objectives.

  • Fiscal risk is that deficiencies in expenditure control and revenues will adversely affect agreed-up outcomes or objectives.

  • Reputation risk is that some action by the entity will impair the ability to reach its goals and objectives.

  • Other strategic risk, such as Policy, Regulatory etc.

4. Definition of various important and relevant external environments and potential impact of uncertainties:

  • Political / Government

  • Technological

  • Legal and Regulatory

  • Competitors

  • Customers, Constituents and stakeholders

  • Physical

  • Markets

  • Suppliers

  • Economic/Financial

5. Creation of series of matrices such as environments (step 4) X identification based on time (step 1). Using of various creative processes such as brainstorming, imagine scenario of possible threats and opportunities for each cell of matrix. Thinking outside the box as much as possible. Combining of the risk assessment for various goals and objectives for each of the three time horizon to get a composite strategic risk assessment in a quantitative representation, i.e., likelihood x frequency on a SCP basis.

6. Project Risk Assessment. It uses a different method to identifying risk and opportunity. The method can be one or combination from the following:

  • Exposure analysis based on assets involved

  • Environmental analysis based on study of changes

  • Threats scenario by exploring various narrative scenarios under numbers of different conditions, especially for catastrophic events and frauds.

7. Observation or/and measurement of risk is a difficult and subjective activity, therefore, risk factors are used that are either observable or measurable characteristics of conditions at risk. A standard set of risk factors and criteria should be established to measure and rank projects according to their perceived risk. Each project, program or process to be formally assessed for risk should be scored by the project initiator with the established risk factors based on understanding of the project, program or process and the perception of risk as described.

8. Procedure of Project Risk Assessment 

Identify Risk: use one or more methods to identify risk i.e. Exposure, Environmental and/or Threat analysis.

9. Measure Risk/Develop Alternatives: 

  • Read each factor and sub-criteria for familiarisation with aim of each.

  • Consider the project, program or process using each of the factors/criteria.

  • Score each factor for the project, etc. on a scale of 1 to 5 (lowest to highest) based on your subjective assessment of the strength/weakness or presence/absence of the criteria.

  • Total the scores for the each factor and divide by the number of factors to get the average score.

  • High risk score are those with an average of 4.25 or more. Low risk scores are those with an average score less than 2.25. These are starting figures that can be adjusted for experience.

  • Analyse high-risk areas and develop alternatives i.e. controls and other risk management techniques, to deal with each of the high risk components.

  • Price out the alternatives and compare risk and cost.

10. Control design: choose the most cost-effective controls within reasonable prudential and organisational tolerance for accepting risk. Risk Management: monitor risk and hazards, making adjustments to the project plan as necessary to meet changing conditions.

11. Operational Risk Management. Operational risk in financial services is normally accepted as “risk of loss resulting from inadequate or failed internal processes, people and systems or from external events”. This is effectively the risks of employees performing their jobs.  The focus of operational risk is on risk management. Risk assessment usually done by a specialist.

If you need to create, review or execute your Governance. Risk or Compliance strategy, call us today on 0207 097 1434 or email

This guide is only an aide memoire and intended for information only for anyone appraising the documentation needed in an audit/compliance check. It is not to be considered as direct advice or intended to replace specific 1 to 1 engagement with your compliance and risk professional.
Recent Enquiry
Copy code