When you hear the word ‘risk,’ what comes to mind? Swimming with sharks? Skydiving? A weekend in Vegas? While risk may be used to describe each of these activities, risk encompasses more than just the dangerous, exciting, or hazardous. Risk is defined as the probability of an event resulting in a loss.
Each year, Go Daddy’s internal audit department performs a company-wide risk assessment. The objective of the risk assessment is to identify and assess risks that would prevent Go Daddy from achieving our business goals. Identified risks are prioritized and serve as the basis for planning future audits.
The following steps, which are used to complete the annual risk assessment, can be used to evaluate and manage risks associated with any choice or activity.
- Identify Risk
First, define the activity’s objective. Once the objective is known, brainstorm and document those risks that would prevent the objective from being accomplished. Brainstorming can be challenging, particularly for activities that are familiar or routine. Step back from the activity and take an objective view… remember Murphy’s Law, “Anything that can go wrong, will go wrong.”
- Assess Risk
- Treat Risk
With risks identified and risk ratings assigned, it’s decision time. What are you going to do? There are four risk management approaches that can be taken:
- Acceptance – Accept the potential cost and loss if the risk occurs. As an example, one may choose to accept all low risks.
- Transference – Transfer a portion or all of the potential cost of a loss to a third party. Transference of risk is generally accomplished through insurance.
- Reduction – Implement a countermeasure to alter or reduce the risk. Examples of risk reduction in information systems include firewalls, intrusion detection systems, and access control systems.
- Avoidance – Discontinue the activity that introduces the risk. As an example, discontinue use of a recalled product.
Using the criteria above, a risk rating can now be assigned using the following formula and matrix:
Residual risk is the risk remaining following risk treatment. In most cases, a portion of residual risk will remain.
Using the aforementioned steps, the following table illustrates a theoretical risk assessment. This assessment focuses on a familiar activity, an upcoming business trip. Note that, while this activity is familiar, it is not without risk.
A number of options are available to treat each risk noted above. The final decision for risk treatment is based on the individual or organization’s tolerance for residual risk.
The risk universe is continually evolving; today’s risks will not be tomorrow’s risks. As such, it is important to develop an awareness to identify, assess, and treat risk. This capability will positively affect one’s ability to navigate risk and achieve their objectives.