Services

Keep in touch

Stay current with updates from
all regulatory bodies by subscribing to our weekly newsletter

Understanding Risk Mitigation

Risk management is all about understanding risks that can have an impact on your organizational objectives and implementing strategies to mitigate and manage those risks. In this article, we examine the most common mitigation strategies and how they can be used to effectively manage risk.

The four most commonly used mitigation strategies are avoidance, acceptance, transference and control. Denial can also be considered a strategy, but to deny a risk exists is to do so at your peril.

When mitigating or managing risks, three steps to consider are:

	1)	What is the organization’s appetite and tolerance for risk? Set the level of risk the board and management is willing to take.
	2)	Prioritize, or rank, each risk for significance and likelihood. By ranking risk, management is better able to determine the strategy that will be most effective.
	3)	Determine appropriate risk mitigation strategies. The four most common mitigation strategies are avoidance, acceptance, transference and control.

Risk Mitigation Strategies:

Avoidance

Some risks aren't worth taking in the first place. You need to think about what activities are core to your business. Is the risk a result of activities within the core business or outside it? If outside and the level of risk is deemed relatively high, then consideration should be given to avoiding that risk or the resultant losses that an event could trigger, by ceasing to undertake those activities that create the risk, or avoid undertaking an activity. For example, if undertaking a capital expansion project may expose the organization to losses that they wouldn’t be able to recover from, then the project may be scrapped. Alternately, consider if there is another way of doing things that will avoid the risk or loss. For example, a company that outsources its non-core activities is avoiding the risk from occurring internally, and dependent on the type of risk, could otherwise be avoiding any loss that may occur if the risk were to crystallize. Outsourcing may also be considered as a way of transferring risk, which as mentioned is another mitigation strategy that is explored further below.

Acceptance

How high or low is the risk? Without risk there is no reward, and if the risk is low enough then accept it as a cost of doing business. In this case, the risk is acknowledged but little to no action is taken to mitigate that risk. Some actions that could potentially be taken as a mitigation strategy could be to establish a contingency fund, or build a contingency plan, in the case that the risk escalates to incurring a loss not previously anticipated. Certainly, at the very least, the risk should be monitored and trends should be watched to determine if the status of the risk has or may change in the near future.

Transference

Risk transference is the process of transferring any losses incurred as a result of the risk occurring, to a third party. The most common example of transferring risk surrounds the use of insurance policies. Having policies such as those related to business interruption, property and casualty insurance, and automobile insurance are typical to most organizations. By understanding the type and level of risk, the right policy decisions can be made to ensure the right risks are being insured. For example, if your company operates in Richmond, BC, earthquake and flood insurance might be very appropriate. However, if it operates in Calgary, AB, then these riders would not be deemed at all appropriate. Usually, one person is left to determine the right amount of insurance coverage to obtain. Best practice however, would be to involve several individuals in the organization to ensure all aspects are covered. Also, by linking the risks back to risk tolerance for the organization, the amount of premium and deductible is influenced as well. Thinking about risk tolerance, consider how much of a loss would the company be able to absorb. This will help set the right amounts to balance insurance coverage with the risk culture of the organization. Another method of transferring risk is to outsource activities to a third party. As mentioned above, if the activities are not core to the business then it might make more sense to transfer those activities to a third party whose core business they belong, especially if internal resources are limited. Many back-office functions, such as payroll and purchasing, are outsourced to service providers that specialize in these areas. However, like insurance policies, outsourced contracts and activities need to be monitored and a consideration should be made regarding what risks may arise from the outsourced function.

Control

A control is a procedure used to either prevent a risk from occurring or detect a risk after it has occurred. If the risk is worth taking and is part of your core operating activities, then you should implement controls to mitigate and manage the risk down to the lowest level possible.

The type of control procedure you select should be commensurate with the level of risk.

For example, preventive controls would be used for higher risks as they are meant to prevent the risk from occurring. Detective controls on the other hand will not prevent a risk from occurring, but rather will detect a risk after it has occurred. Figure 2 shows the different types of control activities that should be considered based on the type of risk and how it relates to the operating activities. For example, if there is a high risk of fraud occurring in a particular area, consideration should be made to implement all types of the controls that are outlined in Figure 2. Let’s use treasury management as an example. Process level IT controls could relate to access to the treasury system. Only certain individuals would have access to the system and their ability to move within the system to make various entries would also be restricted based on their individual job function. These preventive controls, along with segregation of duties would be used to ensure the same individual isn’t initiating, recording and settling a transaction – say a purchase and sale of an investment for example. At each period end, another individual would reconcile the investment accounts, and management would review the reconciliations to ensure any differences are adequately dealt with. Most of these controls are hard controls. Soft controls surrounding treasury management would include employee training, the use of policy manuals that outline functional responsibilities and investment limits, and having a code of ethics and code of conduct that an employee signs off on to promote ethical behaviour within the organization.

Mitigation Activities

In reality, and as can be seen in the example above, there is often a combination of mitigation activities performed for a particular risk. There are several factors that should be weighed by an organization in order to make the appropriate decision on which mitigation activities will be best for the organization. Such factors include the cost of the mitigating activity versus the amount of loss that could be expected to be incurred, the time it would take to implement the activity versus the urgency of a required mitigating strategy, and having appropriate resources to implement and monitor the mitigating strategies once implemented.

For example, if a risk is ranked as high to extreme, then management should have a detailed plan to manage the risk. For a customer-centric company that keeps personal information such as medical or payment information and provides service on a 24 hour basis, it may have an extremely robust plan to ensure the integrity and access to data is protected. For example, a business continuity plan with offsite capabilities for processing data and backing up information helps ensure that if service was disrupted by a disaster that service would be restored quickly. In addition, the company may have robust firewalls, internal access controls (process level) to ensure access is on a need-to-know basis only, and penetration testing performed regularly to ensure data integrity and confidentiality is maintained.

If a risk is considered moderate, then management should at the very least be researching and developing a plan that will manage the risk. Consideration must be given to what steps need to be taken that will be both efficient and effective to either eliminate or minimize risk.

Where a risk is low, it can either be accepted and monitored, or managed through routine procedures. Consider the use of account reconciliations, where an accounting clerk will often prepare the reconciliation with management review to ensure the reconciliation is correct and follow up on any unusual items (detective controls).

In all cases, management responsibility needs to be assigned to each risk in order to ensure it is managed.


	Lisa Dorian, CA.CIA,CPA(IL) President

	+1.778.588.7265

PowellDorian