RISK ASSESSMENT QUESTIONNAIRE

SURVEY

OVERVIEW

As announced by <Insert Name>, you have been selected to participate in the Company XYZ Risk Assessment
Survey. This is considered a very important initiative and is expected to provide valuable insight as we prepare
for the annual budgeting and business planning effort.
Please complete the survey below. Please be thoughtful in your responses. Insert explanatory comments
where appropriate. Each section below includes instructions for completion. Additional information and
reference materials are included on subsequent tabs. Please contact <Insert Name> at <Insert Email ID> or
<Insert Number> with any questions.

NAME
TITLE
DATE

SECTION A - Your Goals

Briefly describe the goals and objectives in your area of responsibility, especially over the next 12–18 months.
(For example: growth through acquisition or new services, fill key positions left vacant by turnover, etc.)
1.
2.
3.
4.

SECTION B - Your Top 3 to 5 Risks

What are the key risks (operational, financial, or technical) that would threaten the achievement of your goals
and objectives? A risk is defined as “the threat that an event or action/inaction will adversely affect an
organization or department’s ability to achieve its business objectives and execute its strategies successfully.”
Risk Name Examples of What Could Go Wrong Priority
1.
2.
3.
4.
5.

1 Source: www.knowledgeleader.com
 SECTION C - Company-Wide Top 3 to 5 Risks
What are the key risks (operational, financial, or technical) that would threaten the achievement of the
company's strategic objectives? A risk is defined as “the threat that an event or action/inaction will adversely
affect an organization or department’s ability to achieve its business objectives and execute its strategies
successfully.”
Risk Name Examples Priority
1.
2.
3.
4.
5.

SECTION D - Quantitative Risk Ratings

What is the likelihood of each of these risks occurring? What is the significance of each of these risks?
For the risks listed below, select a rating for both likelihood and significance. Please note that is important that
you do NOT consider the existence or effectiveness current controls when rating the likelihood of each risk.
For the definitions of risks and categories, consult the definition sections or hover over the name of the risk or
category below for additional details.
See the Environmental Environment risk arises when there Likelihood Significance
Environmental Risk are external forces that can affect a
Risk detailed company’s performance or make its
schedule for choices regarding its strategies,
more detailed operations, customer and supplier
definitions of relationships, organizational
risks. structure or financing obsolete or
ineffective. These forces are outside
management’s ability to control and
could significantly change the
fundamentals that drive its
business model and, in the extreme,
put the company out of business.
Competitor Major competitors or new entrants to
the market take actions to establish
and sustain competitive advantage
over the company and even threaten
its ability to survive. These actions
include issuance of new products to
market, improving product quality,
increasing productivity and reducing
costs, and reconfiguring the value
chain in the eyes of the customer.
Customer Wants Customer needs and wants change
and the company isn't aware. Such
needs and wants may apply to desired
quality, willingness to pay and/or
speed of execution. The extent of this
risk is directly impacted by the
effectiveness of a company’s
processes for “staying close to the

2 Source: www.knowledgeleader.com
 customer” and monitoring and
understanding changes in customer
needs, wants and expectations.
Technological The organization is not leveraging
Innovation advancements in technology in its
business model to achieve or sustain
competitive advantage. The company
may also be exposed to the actions of
competitors or substitutes that do
leverage technology to attain superior
quality, cost and/or time performance
in their products, services and
processes.
Sensitivity Over-commitment of resources and
expected future cash flows threaten
the firm’s capacity to withstand
changes in environmental forces (e.g.,
interest rates, market demand,
changes in regulations, etc.) beyond
its control.
Shareholder A decline in investor confidence in the
Expectations firm’s business model or the inability of
a firm to execute its model threatens
its capacity to efficiently raise capital or
sustain share valuations.
Capital Availability Insufficient access to capital threatens
the firm’s capacity to grow, execute its
business model and generate future
financial returns.
Legal Changing laws threaten the firm’s
capacity to consummate important
transactions, enforce contractual
agreements or implement specific
strategies and activities.
Regulatory Changing regulations threaten the
firm’s competitive position and its
capacity to efficiently conduct
business.
Industry Changes in opportunities and threats,
capabilities of competitors, and other
conditions affecting the firm’s industry
may impact the attractiveness or long-
term viability of that industry.
Financial Markets Movements in prices, rates, indices,
etc., affect the value of the firm’s
financial assets and stock price, which
may also affect its cost of capital
and/or its ability to raise capital.
Catastrophic Loss The inability to sustain operations,
provide essential products and
services, or recover operating costs as
a result of a major disaster. The
inability to recover from such events in

3 Source: www.knowledgeleader.com
 a world-class manner could damage
the company’s reputation, ability to
execute business operations, ability to
obtain capital, and investor
relationships.
See the Process Risk Process risk arises when the Likelihood Significance
Process Risk organization’s business processes
detailed are not clearly defined; are poorly
schedule for aligned with business strategies;
more detailed are not performing effectively and
definitions of efficiently in satisfying customer
risks. needs; are not building owner
wealth; or are exposing significant
financial, physical, information and
intellectual assets to unacceptable
losses, risk taking,
misappropriation, or misuse.
Operations Risk Operations risk is the risk that
operations are inefficient and
ineffective in executing the firm’s
business model, satisfying
customers and achieving the firm’s
quality, cost and time performance
objectives.
Customer A lack of focus on customers threatens
Satisfaction the firm’s capacity to meet or exceed
customer expectations.
Human Resources The personnel responsible for
managing and controlling an
organization or a business process do
not possess the requisite knowledge,
skills and experience needed to
ensure that critical business objectives
are achieved and significant business
risks are reduced to an acceptable
level.
Broker Talent Company is unable to attract and
Management retain top talent brokers to drive
sustainable growth. There is excessive
authority granted to market leadership
in designing compensation packages
to attract top talent.
Knowledge Capital Processes for capturing and
institutionalizing learning across the
firm are either non-existent or
ineffective, resulting in slow response
time, high costs, duplication of efforts,
repeated mistakes, slow competence
development, constraints on growth,
and unmotivated employees.
New Service The company's service development
Development process creates services that: (a)
customers do not want or need, (b) are
priced at a level customers are not

4 Source: www.knowledgeleader.com
 willing to pay, or (c) meet a need but
are late in reaching the market that a
competitor reached first. The
productivity of the service development
process is significantly less than more
innovative competitors who are able to
achieve higher productivity through a
stronger customer focus, concentrating
focused resources and faster cycle
time.
Efficiency The process is inefficient in satisfying
valid customer requirements resulting
in higher than competitive costs, e.g.,
significant gaps are identified when the
cost of process activities is compared
with costs incurred by world-class
performers.
Capacity Insufficient capacity threatens the
firm’s ability to meet customer
demands, or excess capacity
threatens the firm’s ability to generate
competitive profit margins.
Scalability The company is unable to operate
differently, more efficiently at larger
volumes, or spread costs over greater
sales volume. This results in
diseconomies of scale that threatens
the firm’s ability to generate
competitive profit margins and grow
the business.
Performance Gap A business process does not perform
at a world-class level because the
practices designed into the process
are inferior. When compared to
competitors or best of class
performers, there is an unfavorable
performance gap because of lower
quality, higher costs, or longer cycle
times.
Procurement & The fewer the alternative sources of
Sourcing key commodities used in a company's
operations, the greater the risks of
shortages and higher costs. These
risks can significantly affect the
company's capability to provide its
services at a competitive level.
Partnering Inefficient or ineffective alliances, joint
ventures, affiliates and other external
relationships affect the firm’s capability
to compete. These uncertainties arise
due to the following circumstances:
choosing the wrong partner, poor
execution, taking more than is given
(resulting in loss of a partner), and
failing to capitalize on partnering

5 Source: www.knowledgeleader.com
 opportunities.
Compliance As a result of a flaw in design or
operation or due to human error,
oversight or indifference, the
company's processes do not meet
customer requirements the first time,
do not comply with prescribed
procedures and policies, or do not
comply with regulatory requirements.
Compliance risk, sometimes referred
to as nonconformance risk, results in
loss of reputation, lower quality, higher
costs, lost revenues and unnecessary
delays.
Business Business interruptions stemming from
Interruption the unavailability of information
technologies, facilities or other
resources threaten the firm’s capacity
to continue operations.
Service Failure Faulty or non-performing services
expose the firm to customer
complaints, liability claims, litigation
and loss of revenues, market share
and business reputation.
Environmental Environmental risks expose
companies to potentially enormous
liabilities. The exposure is twofold --
(1) liability to third parties for bodily
injury or property damage caused by
the pollution, and (2) liability to
governments or third parties for the
cost of removing pollutants plus severe
punitive damages.
Health and Safety Failure to provide a safe working
environment for its employees
exposes the firm to compensation
liabilities, loss of business reputation,
and other costs.
Brand Erosion Erosion of a brand over time threatens
the demand for the firm’s services and
impairs its ability to grow future
revenue streams.
Information Information processing technology
Technology Risk risk is the risk that the information
technologies used in the firm (a) are
not operating as intended, (b) are
compromising the integrity and
reliability of data and information,
(c) are exposing significant assets
to potential loss or misuse, or (d)
are hampering the firm’s ability to
sustain the operation of critical
processes.
Integrity All of the risks associated with the

6 Source: www.knowledgeleader.com
 authorization, completeness and
accuracy of transactions as they are
entered into, processed by,
summarized by and reported by the
various application systems that the
firm deploys.
Alignment with There is poor alignment between the
Business allocation of IT resources and the
company's strategic objectives. The
processes are not in place to ensure
as the company's goals and objectives
evolve, the information technology
evolves appropriately.
Access & Security Failure to adequately restrict access to
information (data or programs) may
result in unauthorized knowledge and
use of confidential information, or
overly restrictive access to information
may preclude personnel from
performing their assigned
responsibilities effectively and
efficiently.
Availability & Unavailability of important information
Disaster Recovery when needed threatens the continuity
of the firm’s critical operations and
processes. A formal and tested plan
for recovering key IT systems and
applications in the event of a disaster
is not in place.
Infrastructure & The risk that the firm does not have
Asset Management the information technology
infrastructure (e.g., hardware,
networks, software, people and
processes) it needs to effectively
support the current and future
information requirements of the
business in an efficient, cost-effective
and well-controlled fashion. There is a
lack of formal monitoring processes in
place to ensure IT assets (hardware,
networks, software, people) are
managed optimally.
Empowerment Empowerment risk is the risk that
Risk managers and employees (a) are
not properly led, (b) do not have
clear tasks or clear timeframes, (c)
exceed the boundaries of their
assigned authority, or (d) are given
incentives to do the wrong thing.
Leadership The firm’s people are not being
effectively led, which may result in a
lack of direction, customer focus,
motivation to perform, management
credibility and trust throughout the firm.

7 Source: www.knowledgeleader.com
 Authority/Limit Ineffective lines of authority may cause
managers or employees to perform
tasks they should not do or fail to
perform tasks that are necessary.
Failure to establish or enforce limits on
personnel actions may cause
employees to commit unauthorized or
unethical acts or to assume
unauthorized or unacceptable risks.
Outsourcing There are two elements of outsourcing
risk. First there is the risk that outside
service providers (i.e., Third Party
Administrators (TPAs), overseas and
domestic partners and agents) do not
act within their defined limits of
authority and do not perform in a
manner consistent with the values,
strategies and objectives of the
company. Second, there is the risk that
strategic business processes
outsourced will ultimately create
competition for the outsourcing
organization.
Performance Unrealistic, misunderstood, subjective
Incentives or non-actionable performance
measures may cause managers and
employees to act in a manner
inconsistent with the firm’s objectives,
strategies, and ethical standards, or
act outside of prudent business
practices.
Change Readiness The people within the firm are unable
to implement process and service
improvements quickly enough to keep
pace with changes in the marketplace.
Communications Ineffective communication channels
may result in messages that are
inconsistent with authorized
responsibilities or established
performance measures.
Governance Risk Governance risk is the risk that the
organization’s governance
processes do not comply with legal
requirements or stakeholder
expectations and that the board of
directors fails to provide adequate
monitoring and oversight of
executive management activities.
Organizational The organization’s culture does not
Culture encourage managers to realistically
portray the potential outcomes and full
picture of transactions, deals,
investments and projects. The
organization experiences dysfunctional
behavior because managers are either

8 Source: www.knowledgeleader.com
 risk averse or rewarded to take risks
beyond the organization’s risk
appetite.
Ethical Behavior The organization may not be
committed to ethical and responsible
business behavior possibly resulting in
loss of reputation and legal penalties.
Board Effectiveness The board does not constructively
engage management and provide
anticipatory, proactive and interactive
oversight of the company’s activities
and affairs with integrity, vision,
common sense and unquestioned
independence.
Succession Leadership talent within the
Planning organization is not sufficiently
developed and planned to provide for
orderly succession in the future.
Integrity Risk Integrity risk is the risk of
management fraud, employee fraud,
illegal acts and unauthorized acts,
any or all of which could lead to
reputation loss in the marketplace.
Management Fraud Management issues misleading
financial statements with intent to
deceive the investing public and the
external auditor or engages in bribes,
kickbacks, influence payments and
other schemes for the benefit of the
company. Certain
economical/organizational factors may
lead to management fraud: economic
recession, aggressive accounting
practice, pressure to achieve high
earnings, and a possible erosion of
ethics.
Employee Fraud Fraudulent activities perpetrated by
employees against the organization for
personal gain (e.g., misappropriation
of physical, financial or information
assets) and/or expose the organization
to financial loss. These employees act
individually or in collusion to perpetrate
fraud against the company, resulting in
financial loss or unauthorized use of
physical, financial or information
assets.
Third-Party Fraud Fraudulent activities perpetrated by
customers, suppliers, agents, brokers
or third-party administrators against
the organization for personal gain
(e.g., misappropriation of physical,
financial or information assets) and/or
expose the organization to financial

9 Source: www.knowledgeleader.com
 loss. These parties act individually or
in collusion to perpetrate fraud against
the company, resulting in financial loss
or unauthorized use of physical,
financial or information assets.
Illegal Acts Illegal acts committed by managers or
employees expose the firm to fines,
sanctions and loss of customers,
profits and reputation, etc.
Unauthorized Use Unauthorized use of the firm’s
physical, financial or information
assets by employees or others
exposes the firm to unnecessary waste
of resources and financial loss.
Reputation Risk Reputation risk is the risk of losing
brand image such that the company
may be unable to operate in the
marketplace.
Image and Branding The company may lose customers,
key employees or its ability to compete
due to perceptions that it does not deal
fairly with customers, suppliers and
stakeholders, or know how to manage
its business.
Stakeholder A decline in investor confidence may
Relations impair a company's ability to efficiently
raise capital.
See the Information for Information for decision-making Likelihood Significance
Information Decision Making risk is the risk that information used
Risk detailed Risk to support the execution of the
schedule for business model, the internal and
more detailed external reporting on performance
definitions of and the continuous evaluation of
risks. the effectiveness of the firm’s
business model is not relevant or
reliable. These risks relate to every
aspect of the firm’s value creation
activities.
Strategic Risk Strategic risk is the risk that occurs
when the business portfolio of
products and services is not
appropriately aligned with business
strategy.
Environmental Scan Failure to monitor the external
environment or formulation of
unrealistic or erroneous assumptions
about environment risks.
Business Model The company has an obsolete
business model and doesn't recognize
it and/or lacks the information needed
to make an up-to-date assessment of
its current model and build a
compelling business case for

10 Source: www.knowledgeleader.com
 modifying that model on a timely basis.
Business Portfolio Lack of relevant and reliable
information that enables management
to effectively prioritize its products or
balance its businesses in a strategic
context may preclude a diversified
company from optimizing its overall
performance.
Investment Lack of relevant and/or reliable
Valuation/Evaluation information supporting investment
decisions and linking the risks
undertaken to the capital at risk may
result in poor investments decisions.
Organization Management lacks the information
Structure needed to assess the effectiveness of
the company's organizational
structure, which threatens its capacity
to change or achieve its long-term
strategies.
Measurement Nonexistent, irrelevant, or unreliable
performance measures that are
inconsistent with established business
strategies threaten the organization’s
ability to achieve its long-term
strategies.
Resource Allocation Inadequate information supporting the
resource allocation process may
preclude the company from
establishing and sustaining
competitive advantage or maximizing
shareholder returns (e.g., channeling
scarce resources toward those
opportunities that provide the best
prospects for balancing risk and
reward).
Planning An unimaginative and cumbersome
strategic planning process may result
in irrelevant information that threatens
the firm’s capacity to formulate viable
business strategies.
Public Reporting Public reporting risk is the risk that
financial information is not being
captured completely and accurately
and may not be relevant or reliable.
Financial Reporting Failure to accumulate relevant and
Evaluation reliable external and internal
information to assess whether
adjustments to or disclosures in
financial statements are required may
result in the issuance of misleading
financial reports to external
stakeholders.
Internal Control Failure to accumulate sufficient

11 Source: www.knowledgeleader.com
 Evaluation relevant and reliable information to
assess the design and operating
effectiveness of internal control over
financial reporting, resulting in
inaccurate assertions by management
in the internal control report.
Taxation Failure to accumulate and consider
relevant tax information may result in
non-compliance with tax regulations or
adverse tax consequences that could
have been avoided had transactions
been structured differently.
Regulatory Reports of operating and financial
Reporting information required by regulatory
agencies are incomplete, inaccurate,
or untimely, exposing the company to
fines, penalties and sanctions.
Operational Operational Risk is the risk that
measures whether the
organization’s quality, time, and
cost objectives are relevant or
reliable.
Budget and Non-existent, unrealistic, irrelevant or
Planning unreliable budget and planning
information may cause inappropriate
financial conclusions and decisions.
Service Pricing The success of your services relies
directly upon your ability to sell them,
which in turn is dependent upon your
pricing strategy. If your prices come in
too low, the company will not be able
to make a reasonable profit. Go too
high, and the company may weaken
the demand of its product offerings.
This occurs when companies do not
understand how customers view the
product and what they are willing to
pay.
Contract The risk that the company may not
Commitment comply with vendor or customer
contracts or meet vendor or customer
requirements. In addition, there may
be a lack of relevant and/or reliable
information concerning contractual
commitments outstanding as of a point
in time may result in subsequent
incremental contractual commitment
decisions that may not be in the best
interests of the company.
Measurement Non-existent, irrelevant and/or
unreliable non-financial and
performance measures may cause
erroneous assessments of and
conclusions about operational

12 Source: www.knowledgeleader.com
 performance that are inconsistent with
established business strategies,
threatening the company's ability to
execute its strategies.
Alignment Failure to align business process
objectives and performance measures
with enterprise wide and/or operating
unit objectives and strategies may
result in conflicting, uncoordinated
activities throughout the company.
Accounting Overemphasis on financial accounting
Information information to manage the business
may result in the manipulation of
outcomes to achieve financial targets
at the expense of not meeting
customer satisfaction, quality and
efficiency objectives.

SECTION E - Internal Audit Areas

Considering the areas you noted above, please identify the top two or three areas where internal audit could
provide the most value at Company XYZ.
1.
2.
3.

COMMONLY USED CATEGORIES OF RISK

Environment Information For

Process Risk
Risk Decision-Making Risk
Competitor Operations Empowerment Governance Strategic
Customer Wants
Customer Leadership Organizational Environmental Scan
Technological Satisfaction Culture
Authority/Limit Business Model
Innovation
Human Resources Outsourcing Ethical Behavior Business Portfolio
Sensitivity
Broker Talent Performance Board Investment Evaluation
Shareholder Management Effectiveness
Incentives Organization Structure
Expectations
Knowledge Capital Change Readiness Succession
Capital Availability Measurement
New Service Planning
Communications Resource Allocation
Legal Development
Regulatory Planning
Efficiency Reputation
Industry Capacity Integrity
Financial Markets Image and
Scalability Management Branding Public Reporting
Catastrophic Loss Performance Gap Fraud
Stakeholder Financial Reporting
Procurement & Employee Fraud Relations Evaluation
Sourcing Third Party Fraud Internal Control Evaluation
Partnering Illegal Acts Executive Certification
Information
Compliance Unauthorized Use Taxation
Technology
Business Regulatory Reporting
Interruption Integrity
Service Failure Alignment with
Environment Business Operational
Health & Safety Access & Security
Budget & Planning
Brand Erosion Availability &
Services Pricing
Disaster Recovery
Contract Commitment
Infrastructure &
13 Source: www.knowledgeleader.com Asset Management Measurement
Alignment
Accounting Information
 RATING GUIDANCE

Rating Guidance
Likelihood Significance
Likelihood of occurrence over the next 2-3 years Operations Impact
5 - Almost Certain - Is expected to occur in most 5 - Catastrophic - Near total loss of business unit(s);
circumstances (>90%) recovery impossible
4 - Likely - Will probably occur in most circumstances 4 - Major - Severe impact on business unit(s);
recovery very difficult/costly
3 - Possible - Might occurs at some time (50%)
3 - Moderate - Moderate loss of business; moderate
2 - Unlikely - Could occur at some time
changes to business model
1 - Rare - May occur in exceptional circumstances
2 - Minor - Some impact on operations; easily
(<5%)
recoverable
1 - Insignificant - No operational impact or loss of
business
*do not consider the existence or effectiveness current Reputational Impact
controls when rating the likelihood*
Stakeholders can represent customers, employees or
vendors
5 - Catastrophic - Global print and media
coverage/significant impact to stakeholders
4 - Major - National media coverage/significant impact
to stakeholders
3 - Moderate - Regional media coverage/moderate
impact to stakeholders
2 - Minor - Local media coverage/minor impact to
stakeholders
1 - Insignificant - Some local media coverage/limited
impact to stakeholders
Financial Impact
5 - Catastrophic - Catastrophic financial loss
4 - Major - Major financial loss
3 - Moderate - Moderate financial loss
2- Minor - Minor financial loss
1 - Insignificant - Insignificant financial loss
ENVIRONMENT RISK

Environment risk arises when there are external forces that can affect a company’s performance or make its
choices regarding its strategies, operations, customer and supplier relationships, organizational structure or

14 Source: www.knowledgeleader.com
financing obsolete or ineffective. These forces are outside management’s ability to control and could significantly
change the fundamentals that drive its business model and, in the extreme, put the company out of business.
• Competitor risk: Major competitors or new entrants to the market take actions to establish and sustain
competitive advantage over the company and even threaten its ability to survive. These actions include
issuance of new products to market, improving product quality, increasing productivity and reducing costs, and
reconfiguring the value chain in the eyes of the customer.
• Customer wants risk: Customer needs and wants change and the company isn't aware. Such needs and
wants may apply to desired quality, willingness to pay and/or speed of execution. The extent of this risk is
directly impacted by the effectiveness of a company’s processes for “staying close to the customer” and
monitoring and understanding changes in customer needs, wants and expectations.
• Technological innovation risk: The organization is not leveraging advancements in technology in its
business model to achieve or sustain competitive advantage. The company may also be exposed to the
actions of competitors or substitutes that do leverage technology to attain superior quality, cost and/or time
performance in their products, services and processes.
• Sensitivity risk: Over commitment of resources and expected future cash flows threatens the firm’s capacity
to withstand changes in environmental forces (e.g., interest rates, market demand, changes in regulations,
etc.) beyond its control.
• Shareholder expectations risk: A decline in investor confidence in the firm’s business model or the inability
of a firm to execute its model threatens its capacity to efficiently raise capital or sustain share valuations.
• Capital availability risk: Insufficient access to capital threatens the firm’s capacity to grow, execute its
business model and generate future financial returns.
• Legal risk: Changing laws threaten the firm’s capacity to consummate important transactions, enforce
contractual agreements or implement specific strategies and activities.
• Regulatory risk: Changing regulations threaten the firm’s competitive position and its capacity to efficiently
conduct business.
• Industry risk: Changes in opportunities and threats, capabilities of competitors, and other conditions affecting
the firm’s industry may impact the attractiveness or long-term viability of that industry.
• Financial markets risk: Movements in prices, rates, indices, etc., affect the value of the firm’s financial assets
and stock price, which may also affect its cost of capital and/or its ability to raise capital.
• Catastrophic loss risk: The inability to sustain operations, provide essential services, or recover operating
costs as a result of a major disaster. The inability to recover from such events in a world-class manner could
damage the company’s reputation, ability to execute business operations, ability to obtain capital, and investor
relationships.

PROCESS RISK

Process risk arises when the organization’s business processes are not clearly defined; are poorly aligned with
business strategies; are not performing effectively and efficiently in satisfying customer needs; are not building
owner wealth; or are exposing significant financial, physical, information and intellectual assets to unacceptable
losses, risk taking, misappropriation, or misuse.

OPERATIONS RISK
Operations risk is the risk that operations are inefficient and ineffective in executing the firm’s business model,
satisfying customers and achieving the firm’s quality, cost and time performance objectives.
• Customer satisfaction risk: A lack of focus on customers threatens the firm’s capacity to meet or exceed
customer expectations.

15 Source: www.knowledgeleader.com
• Human resources risk: The personnel responsible for managing and controlling an organization or a
business process do not possess the requisite knowledge, skills and experience needed to ensure that critical
business objectives are achieved and significant business risks are reduced to an acceptable level.
• Broker talent management risk: Company is unable to attract and retain top talent brokers to drive
sustainable growth. There is excessive authority granted to market leadership in designing compensation
packages to attract top talent.
• Knowledge capital risk: Processes for capturing and institutionalizing learning across the firm are either non-
existent or ineffective, resulting in slow response time, high costs, duplication of efforts, repeated mistakes,
slow competence development, constraints on growth, and unmotivated employees.
• New service development risk: The company's service development process creates services that:
− Customers do not want or need,
− Are priced at a level customers are not willing to pay, or
− Meet a need but are late in reaching the market that a competitor reached first.

The productivity of the service development process is significantly less than more innovative competitors who
are able to achieve higher productivity through a stronger customer focus, concentrating focused resources
and faster cycle time.

• Efficiency risk: The process is inefficient in satisfying valid customer requirements resulting in higher than
competitive costs, e.g., significant gaps are identified when the cost of process activities is compared with
costs incurred by world-class performers.
• Capacity risk: Insufficient capacity threatens the firm’s ability to meet customer demands, or excess capacity
threatens the firm’s ability to generate competitive profit margins.
• Scalability risk: The company is unable to operate differently, more efficiently at larger volumes, or spread
costs over greater sales volume. This results in diseconomies of scale that threatens the firm’s ability to
generate competitive profit margins and grow the business.
• Performance gap risk: A business process does not perform at a world-class level because the practices
designed into the process are inferior. When compared to competitors or best of class performers, there is an
unfavorable performance gap because of lower quality, higher costs, or longer cycle times.
• Procurement and sourcing risk: The fewer the alternative sources of key commodities used in a company's
operations, the greater the risks of shortages and higher costs. These risks can significantly affect the
company's capability to provide its services at a competitive level.
• Partnering risk: Inefficient or ineffective alliances, joint ventures, affiliates and other external relationships
affect the firm’s capability to compete. These uncertainties arise due to the following circumstances: choosing
the wrong partner, poor execution, taking more than is given (resulting in loss of a partner), and failing to
capitalize on partnering opportunities.
• Compliance risk: As a result of a flaw in design or operation or due to human error, oversight or indifference,
the company's processes do not meet customer requirements the first time, do not comply with prescribed
procedures and policies, or do not comply with regulatory requirements. Compliance risk, sometimes referred
to as nonconformance risk, results in loss of reputation, lower quality, higher costs, lost revenues and
unnecessary delays.
• Business interruption risk: Business interruptions stemming from the unavailability of information
technologies, facilities or other resources threaten the firm’s capacity to continue operations.
• Service failure risk: Faulty or non-performing or services expose the firm to customer complaints, liability
claims, litigation and loss of revenues, market share and business reputation.
• Environmental risk: Environmental risks expose companies to potentially enormous liabilities. The exposure
is twofold—(1) liability to third parties for bodily injury or property damage caused by the pollution, and (2)
liability to governments or third parties for the cost of removing pollutants plus severe punitive damages.

16 Source: www.knowledgeleader.com
• Health and safety risk: Failure to provide a safe working environment for its employees exposes the firm to
compensation liabilities, loss of business reputation, and other costs.
• Brand erosion risk: Erosion of a brand over time threatens the demand for the firm’s services and impairs its
ability to grow future revenue streams.

INFORMATION PROCESSING/TECHNOLOGY RISK

Information processing technology risk is the risk that the information technologies used in the firm (a) are not
operating as intended, (b) are compromising the integrity and reliability of data and information, (c) are exposing
significant assets to potential loss or misuse, or (d) are hampering the firm’s ability to sustain the operation of
critical processes.
• Integrity risk: All of the risks associated with the authorization, completeness and accuracy of transactions as
they are entered into, processed by, summarized by and reported by the various application systems that the
firm deploys.
• Alignment with business risk: There is poor alignment between the allocation of IT resources and the
company's strategic objectives. The processes are not in place to ensure as the company's goals and
objectives evolve, the information technology evolves appropriately.
• Access and security risk: Failure to adequately restrict access to information (data or programs) may result
in unauthorized knowledge and use of confidential information, or overly restrictive access to information may
preclude personnel from performing their assigned responsibilities effectively and efficiently.
• Availability and disaster recovery risk: Unavailability of important information when needed threatens the
continuity of the firm’s critical operations and processes. A formal and tested plan for recovering key IT
systems and applications in the event of a disaster is not in place.
• Infrastructure and asset management risk: The risk that the firm does not have the information technology
infrastructure (e.g., hardware, networks, software, people and processes) it needs to effectively support the
current and future information requirements of the business in an efficient, cost-effective and well-controlled
fashion. There is a lack of formal monitoring processes in place to ensure IT assets (hardware, networks,
software, people) are managed optimally.

EMPOWERMENT RISK
Empowerment risk is the risk that managers and employees (a) are not properly led, (b) do not have clear tasks or
clear timeframes, (c) exceed the boundaries of their assigned authority, or (d) are given incentives to do the
wrong thing.
• Leadership risk: The firm’s people are not being effectively led, which may result in a lack of direction,
customer focus, motivation to perform, management credibility and trust throughout the firm.
• Authority/limit risk: Ineffective lines of authority may cause managers or employees to perform tasks they
should not do or fail to perform tasks that are necessary. Failure to establish or enforce limits on personnel
actions may cause employees to commit unauthorized or unethical acts or to assume unauthorized or
unacceptable risks.
• Outsourcing risk: There are two elements of outsourcing risk. First there is the risk that outside service
providers (e.g., third-party administrators [TPAs], overseas and domestic partners and agents) do not act
within their defined limits of authority and do not perform in a manner consistent with the values, strategies and
objectives of the company. Second, there is the risk that strategic business processes outsourced will
ultimately create competition for the outsourcing organization.
• Performance incentives risk: Unrealistic, misunderstood, subjective or non-actionable performance
measures may cause managers and employees to act in a manner inconsistent with the firm’s objectives,
strategies, and ethical standards, or act outside of prudent business practices.
• Change readiness risk: The people within the firm are unable to implement process and service
improvements quickly enough to keep pace with changes in the marketplace.

17 Source: www.knowledgeleader.com
• Communications risk: Ineffective communication channels may result in messages that are inconsistent with
authorized responsibilities or established performance measures.

GOVERNANCE RISK
Governance risk is the risk that the organization’s governance processes do not comply with legal requirements or
stakeholder expectations and that the board of directors fails to provide adequate monitoring and oversight of
executive management activities
• Organizational culture risk: The organization’s culture does not encourage managers to realistically portray
the potential outcomes and full picture of transactions, deals, investments and projects. The organization
experiences dysfunctional behavior because managers are either risk averse or rewarded to take risks beyond
the organization’s risk appetite.
• Ethical behavior risk: The organization may not be committed to ethical and responsible business behavior
possibly resulting in loss of reputation and legal penalties.
• Board effectiveness risk: The board does not constructively engage management and provide anticipatory,
proactive and interactive oversight of the company’s activities and affairs with integrity, vision, common sense
and unquestioned independence.
• Succession planning risk: Leadership talent within the organization is not sufficiently developed and planned
to provide for orderly succession in the future.

INTEGRITY RISK
Integrity risk is the risk of management fraud, employee fraud, illegal acts and unauthorized acts, any or all of
which could lead to reputation loss in the marketplace.
• Management fraud risk: Management issues misleading financial statements with intent to deceive the
investing public and the external auditor or engages in bribes, kickbacks, influence payments and other
schemes for the benefit of the company. Certain economical/organizational factors may lead to management
fraud: economic recession, aggressive accounting practice, pressure to achieve high earnings, and a possible
erosion of ethics.
• Employee/third-party fraud risk: Fraudulent activities perpetrated by employees, customers, suppliers,
agents, brokers or third-party administrators against the organization for personal gain (e.g., misappropriation
of physical, financial or information assets) expose the organization to financial loss. These parties act
individually or in collusion to perpetrate fraud against the company, resulting in financial loss or unauthorized
use of physical, financial or information assets.
• Illegal acts risk: Illegal acts committed by managers or employees expose the firm to fines, sanctions and
loss of customers, profits and reputation, etc.
• Unauthorized use risk: Unauthorized use of the firm’s physical, financial or information assets by employees
or others exposes the firm to unnecessary waste of resources and financial loss.

REPUTATION RISK
Reputation risk is the risk of losing brand image such that the company may be unable to operate in the
marketplace.
• Image and branding risk: The company may lose customers, key employees or its ability to compete due to
perceptions that it does not deal fairly with customers, suppliers and stakeholders, or know how to manage its
business.
• Stakeholder relations risk: A decline in investor confidence may impair a company's ability to efficiently raise
capital.

18 Source: www.knowledgeleader.com
 INFORMATION FOR DECISION-MAKING RISK

Information for decision-making risk is the risk that information used to support the execution of the business
model, the internal and external reporting on performance and the continuous evaluation of the effectiveness of
the firm’s business model is not relevant or reliable. These risks relate to every aspect of the firm’s value creation
activities.

STRATEGIC RISK
Strategic risk is the risk that occurs when the business portfolio of services is not appropriately aligned with
business strategy.
• Environmental scan risk: Failure to monitor the external environment or formulation of unrealistic or
erroneous assumptions about environment risks.
• Business model risk: The company has an obsolete business model and doesn't recognize it and/or lacks
the information needed to make an up-to-date assessment of its current model and build a compelling
business case for modifying that model on a timely basis.
• Business portfolio risk: Lack of relevant and reliable information that enables management to effectively
prioritize its products or balance its businesses in a strategic context may preclude a diversified company from
optimizing its overall performance.
• Investment valuation risk: Lack of relevant and/or reliable information supporting investment decisions and
linking the risks undertaken to the capital at risk may result in poor investments decisions.
• Organizational structure risk: Management lacks the information needed to assess the effectiveness of the
company's organizational structure, which threatens its capacity to change or achieve its long-term strategies.
• Measurement (strategy) risk: Nonexistent, irrelevant, or unreliable performance measures that are
inconsistent with established business strategies threaten the organization’s ability to achieve its long-term
strategies.
• Resource allocation risk: Inadequate information supporting the resource allocation process may preclude
the company from establishing and sustaining competitive advantage or maximizing shareholder returns (e.g.,
channeling scarce resources toward those opportunities that provide the best prospects for balancing risk and
reward).
• Planning risk: An unimaginative and cumbersome strategic planning process may result in irrelevant
information that threatens the firm’s capacity to formulate viable business strategies.

PUBLIC REPORTING RISK

Public reporting risk is the risk that financial information is not being captured completely and accurately and may
not be relevant or reliable.
• Financial reporting evaluation risk: Failure to accumulate relevant and reliable external and internal
information to assess whether adjustments to or disclosures in financial statements are required may result in
the issuance of misleading financial reports to external stakeholders.
• Internal control evaluation risk: Failure to accumulate sufficient relevant and reliable information to assess
the design and operating effectiveness of internal control over financial reporting, resulting in inaccurate
assertions by management in the internal control report.
• Taxation risk: Failure to accumulate and consider relevant tax information may result in non-compliance with
tax regulations or adverse tax consequences that could have been avoided had transactions been structured
differently.
• Regulatory reporting risk: Reports of operating and financial information required by regulatory agencies are
incomplete, inaccurate, or untimely, exposing the company to fines, penalties and sanctions.

19 Source: www.knowledgeleader.com
OPERATIONAL RISK
Operational risk is the risk that measures whether the organization’s quality, time, and cost objectives are relevant
or reliable.
• Budget and planning risk: Non-existent, unrealistic, irrelevant or unreliable budget and planning information
may cause inappropriate financial conclusions and decisions.
• Service pricing risk: The success of your business relies directly upon your ability to sell, which in turn is
dependent upon your pricing strategy. If your prices come in too low, the company will not be able to make a
reasonable profit. Go too high, and the company may weaken the demand of its product offerings. This occurs
when companies do not understand how customers view the product and what they are willing to pay.
• Contract commitment risk: The risk that the company may not comply with vendor or customer contracts or
meet vendor or customer requirements. In addition, there may be a lack of relevant and/or reliable information
concerning contractual commitments outstanding as of a point in time may result in subsequent incremental
contractual commitment decisions that may not be in the best interests of the company.
• Measurement risk: Non-existent, irrelevant and/or unreliable non-financial and performance measures may
cause erroneous assessments of and conclusions about operational performance that are inconsistent with
established business strategies, threatening the company's ability to execute its strategies.
• Alignment risk: Failure to align business process objectives and performance measures with enterprise wide
and/or operating unit objectives and strategies may result in conflicting, uncoordinated activities throughout the
company.
• Accounting information risk: Overemphasis on financial accounting information to manage the business
may result in the manipulation of outcomes to achieve financial targets at the expense of not meeting customer
satisfaction, quality and efficiency objectives.

20 Source: www.knowledgeleader.com