Risk Assessment in Practice

Given that risk is integral to the pursuit of value, strategic-minded enterprises manage risk exposures so that, at any given time, they incur just enough of the right kinds of risk —  according to Risk Appetite Statement (RAS) — to effectively pursue strategic goals.

The Risk Assessment Criteria


Impact refers to the extent to which a risk event might affect the enterprise. Impact assessment criteria may include financial, reputational, regulatory and operational impacts. For example, Risk may get “High” score if it fulfils one or more items below:

  • Financial loss of X% of annual revenue or more;
  • Long-term negative media coverage;
  • Significant loss of market share;
  • Litigation and fines.


Likelihood represents the possibility that a given event will occur. To assess likelihood it is convenient to use logarithmic scale such as

  • once in a year or more
  • once in 5 years or more
  • once in 20 years or more
  • once in 50 years or more


Vulnerability refers to the entity’s preparedness to withstand a risk. It may include capabilities such as scenario planning, capital buffer and financial strength.


Velocity refers to the time it takes for a risk event to manifest itself, i.e. the time that elapses between the occurrence and its first notable effects.

Inherit and Residual Risk

Inherent risk is the risk to an entity in the absence of any actions management might take to mitigate. Residual risk is the risk remaining after management’s measures to respond.

Risk Response Planning

Quantitate and qualitative assessments across criteria above would help enterprises to manage different forms of risk within their risk appetite. To be effective and sustainable, the risk assessment process needs to be simple, practical, and easy to understand. To succeed the process must be performed by people with the right skills supported by correctly sized technology.