The scope of the risk assessment workshop depends on the size of your organization and your area of greatest concern.
For small organizations, we might focus on the entire organization covering all risk categories in the chart below, with priority on breadth of coverage, recognizing that your newly risk aware employees will add further depth (i.e.: more risks identified per category) over time.
For larger organizations, an entire organization risk assessment will not be practical. We will suggest focusing on an area that is a combination of high concern and low hanging fruit. The low hanging fruit provides a good training ground for your employees doing a risk assessment for the first time. Once they have had success with their first risk assessment, with our support, they will be ready for the next challenge as integrated into their regular oversight activities.
While there are many Risk Management frameworks (Basel III, COSO, ISO 31000), they are large and complex Enterprise focused models that are suitable for large organizations will full time risk management departments who can devote the time necessary to successfully implement them.
For organizations that don’t have full time risk management capability, we prefer to start with a simple framework that provides breadth of coverage and is easy to implement. We’re essentially doing that in our first risk assessment because of the completed documentation that is developed as part of our training and risk assessment engagement. Below is a model supported by the Global Risk Management Institute and augmented by CME Inc.’s experience.
Risk Management Consultants