How We Built Our Annual Risk Assessment Process

How We Built Our Annual Risk Assessment Process

Looking at the risks your business faces is something every organization does, in some form or another. As teams grow or specialize, the approach you take will likely need to evolve. We found that out for ourselves at ClearPoint, and recently took an entirely new approach to risk assessment. Below are the details of what we changed and why, so you can copy some ideas for your own company.

Our Annual Risk Assessment Process: Before

ClearPoint has done an annual risk assessment for years. This process is designed to:

  • Identify the risks associated with our business.
  • Determine how we can control each risk.
  • Identify actions we can take to address those risks.

Up until recently, our process was more of a one-day team exercise. We’d gather everyone together to brainstorm a list of risks. Once the list was complete, we’d assign action items to address those risks.

But there were some problems...

While we put a lot of effort into doing our annual risk assessment, we didn’t have any follow-up processes in place to regularly discuss and report on the actions that came out of that meeting. And, most importantly, our risk assessment wasn’t linked to our strategy in any meaningful way—it existed as a separate, standalone effort. Especially as we grew as a company, we realized we needed to evolve our annual risk assessment process.

Our Annual Risk Assessment Process: Now

With the goal of making sure our risks were closely tied to our strategy, here’s how we recently restructured and approached our risk assessment process:

Step 1: Department-level Brainstorms

Each department separately brainstormed its own risks based on the company’s overall strategy. For example, the customer success team (and product team, marketing team, etc.) met and developed a list of risks associated with their specific strategic objectives. We gave everyone a basic annual risk assessment questionnaire to help guide the conversations.

Risk map

Step 2: Leadership Risk Alignment

Next, the department heads met with the leadership team to examine all risks. The meeting focused on eliminating duplicates, organizing by themes, and confirming strategic alignment. At the end of the meeting, we had a list of our objectives and all the risks associated with each one (some risks applied to multiple objectives).

Risk alignment

Step 3: Risk Matrix Development

We placed objectives and risks in a matrix so we could add scores to each. Risk scores were based on:

  • Overall impact score if the risk occurred (on a scale of 1 (lowest) to 5 (highest))
  • 1-year timeframe probability of the risk occurring
  • 5-year timeframe probability of the risk occurring

Those numbers were then averaged to generate an overall score for each risk. For any risks that scored above a certain threshold, we chose a control. Controls included:

  • Avoid: Make a fundamental change that will eliminate the risk.
  • Reduce: Lower the chances that the risk will occur.
  • Mitigate: Reduce the consequences if the risk occurs.
  • Transfer: Shift the risk to another organization capable of handling it (outsourcing to a third-party).
  • Accept: Agree that the consequences are worth the risk.

This example matrix can be used as an annual risk assessment template:

Risk matrix

For any risks with controls that required some type of action, we added those items to the matrix and then to ClearPoint. All risk assessment action items are linked to our strategic objectives within ClearPoint and we can now report on these items quarterly.

Based on your company’s stage of growth, your annual risk assessment process may not need to be this detailed. But the ultimate goal is to link your risks to your strategy.

A Big Change In Process...For The Better.

Our annual risk assessment used to be a standalone exercise. Now it’s part of our overall strategic planning and execution process—and this is clearly the right way to approach this effort. It was a big change, for the better. Here’s what we’ve been able to do using this new approach:

  • Identify risks in a more methodical manner and tie those risks to the objectives of our strategic plan.
  • Track and report on the action items associated with our risks during quarterly review meetings. Risks are now included in our conversations about what we’re doing to execute on our strategic plan.
  • Engage more people across the company in the annual risk assessment process and our overall strategy. The one-day, full-team exercise made it difficult for anyone but managers and senior leadership to speak up, but starting risk alignment at the department level has given more team members the chance to contribute to brainstorming. Everyone has a stronger sense of ownership and is more cognizant of the risks to our business.

Using ClearPoint For Annual Risk Assessments

Our departments used different applications for their initial brainstorms, and we built the annual risk assessment template in a spreadsheet, but ClearPoint was the final destination for all the strategic pieces of this effort. You can use ClearPoint to:

  • Link risks to strategic objectives.
  • Assign owners and collaborators to action items that originate from the risk assessment.
  • Send reminders or set alerts for risk reporting deadlines.
  • Share updates on the progress and results of your annual risk assessment with teams.

Our platform helps not only helps with strategy alignment, but also fosters transparency and engagement. If you want more details on how we do risk assessments, contact us.

How We Built Our Annual Risk Assessment Process

Angel Oh

Product Manager & Former Synchronized Swimmer

Angel works alongside the product team to help build new features and improve customer experience.