So why are risk assessments so complicated and other radical thoughts for the end of the year.

There was a time when the world’s greatest minds thought that the world was flat. And there was the time when consensus was that the universe rotated around the earth. I wonder if the current love of risk assessments is similar to the flat earth or universal rotation misbeliefs.

Our audit team has been having a robust discussion on risk assessment methodology particularly regarding likelihood and impact.  Because I have yet to find a risk assessment that pointed out the likelihood of the last financial crisis, the oil patch problems of the 80’s, or the no doc loan syndrome of the 70’s, I am becoming more skeptical of the value of likelihood (which I define as an educated stab).

Impact is the same for me. Most people believe that every risk introduction can be quantified in dollars therefore proving impact. A nice thought. Yet there are some events that result in a dollar impact that is a best estimate, or in other words, a guess.  Hmm? A stab at "likelihood" and a guess at "impact. Seems that we have discovered the true risk  in this exercise.

Other intriguing aspects of the risk assessment process have surfaced as well. For example, there is a universal struggle with understanding the simple fact that a broken control is not a risk. This is such a common mistake that we now ignore it when it occurs. Therefore every broken control is a risk. Which, if I understand it, a control mitigates a risk so if the control is broken the original risk is left unmitigated and the new risk i.e. broken control not only does not mitigate the original risk but adds a new risk to the equation. But a broken control is not a risk. Enough to make any sane person support medical marijuana use.

That leads to the logical question of: what is a risk really?

People seem to believe that the risk assessment will help management understand the risks of their business better. I am not so sure.  It seems to me that all a risk assessment does is provide a point in time perspective of the author (s) as to what a control environment may look like. It does not quantify the amount of risks being taken – or not; it does not predict what is going to happen next; and it certainly doesn’t tell an educated executive something that they don’t know.  Should this not then be called a risk/control confirmation?

Another perplexity I find is that the risk assessment has become a cottage industry. 

Consultants provide a plethora of “approaches” to assessing risk. Some even provide laundry lists of risk events that you should consider monitoring, auditing or managing. As I think about it, in financial services I have seen risk assessments with over 600 risk events. Aren’t there really only two? 1 – Do I have money to lend invest or share and 2 – Do I follow the rules in doing that lending, investing or sharing? Only two risks, i.e., the reason my business will fail – versus the 600 lack of process, management, or policy controls which would be problematic but certainly are not risks.

So I find myself questioning why we are being asked to expect so much from risk assessments. The world is not flat and the planets revolve around the sun not earth. Maybe we should just admit that a risk assessment is not what people think it is. Time to keep it simple and see risk assessments for what they are: a point in time understanding of a certain environment based on the knowledge of the author (s). Nothing more and nothing less.