Photo by Mart Production on Pexels


Life in an organization is by no means a walk in the park. With several things happening (and can happen) within and beyond your organizational bubble, arming yourself with the right information and tools is necessary. This presents risk assessment and management (RAM) as an asset for any organization since it is not enough to identify initiatives for your strategy; it is vital to learn to anticipate and create mechanisms to address events that can hinder organizational success.

Here are five ways your organization can assess and manage risks:


1. Know your enemy

While your organization may know where you want to go, thanks to your set strategy maps, events can manifest as risks that can occur and impact an organization’s work towards its goals and objectives. According to Mr. Michael Gallego, an Advisory Services Division Partner, P&A Grant Thornton Knowledge Management Unit Head, and risk management expert, confronting risks entails knowing first what they are.

Photo by Kampus Production on Pexels

Risk identification involves looking at your organizational strategies and objectives and determining what could go wrong with them. Your organization will need to come up with categories for your risks, and these can be as simple as labeling them as operational or financial risks. Organizations undergoing programs like the Performance Governance System (PGS) can derive categories from strategy map elements. Mr. Gallego cautions that risk identification, or crafting your “risk universe”, is often the hard part of the whole RAM process because it can take a long time to plot out risk items per identified category.

2. Keep score

Not only do risks come in several forms, they can also affect the organization in various ways. Organizations must then assess their risks according to impact and likelihood, which involves keeping score of the risk levels to identify which risks require the most attention. While your organization can identify budget cuts, leadership change, or database failure as risks, the issue also lies with how likely these are to occur (and how detrimental they are to your strategy) in your current or future situation.

Photo by Olya Kobruseva on Pexels

Determining the impact and likelihood of any risk means agreeing on a rating system or criteria that the organization will use across all levels. For Mr. Gallego, it can be as complicated as a 25-box model which rates impact and likelihood from 1 to 5, or as simple as a 4-box model with a rating from 1 to 2. To plot the likelihood of any risk, organizations can set quantitative (from occurring within six months to more than five years) or qualitative (from most likely to rarely) descriptors to describe each risk level. These will help you develop a risk heat map that will later form your overall risk profile.

3. Walk the talk

Knowing the risks and how damaging they can be to your organization is not enough. You must walk the talk and develop appropriate responses or measures to reduce your risks or eliminate them entirely. Mr. Gallego says these measures can range from simple, corrective ones to those that can prevent the risk or fully control the process well.

Photo by Tima Miroshnichenko on Pexels

Your organization will need to identify teams or people who will carry out the risk responses. Called levels of responsibility by the Institute of Internal Auditors (IIA), these people can be: 1) those who own the processes who can identify the risks and their appropriate measures for different programs; 2) those with horizontal functions that can provide support or monitor and challenge matters; and 3) those who can independently validate and ensure consistency of RAM process reporting. Once your organization has assigned people to your risk responses, you will craft action plans with appropriate target implementation dates. Mr. Gallego says this is also a long process because action plans must be communicated across the organization, and funding must be secured for smooth implementation.

4. Evolve as you go

RAM does not stop at the creation of measures. Mr. Gallego describes the monitoring stage as an evolving document that inevitably entails writing reports, firming up processes to support action plans, and defining and redefining the frequency of risk assessments to ensure the action plans are working. It is up to your organization to decide how frequently you will go through the risk assessment process, but you must do it enough to monitor your risks’ movement effectively. 

Photo by Thirdman on Pexels

Mr. Gallego says monitoring is essential because it involves keeping everyone, especially the governing body, in the loop with your RAM process. This helps your organization see whether the measures have effectively reduced risks at an acceptable level or if there is a need to revise at the strategy and objective level.

5. Leave No One Behind

While it is difficult to identify and assess risks and come up with appropriate responses, getting everyone to understand the whole process is just as hard. Establishing and implementing your RAM process is not exclusive to the governing and management levels; it should trickle down to the rank and file. No one should be left behind as everyone will feel the consequences of any risk, should they manifest. Frameworks like the Committee on Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management (ERM) can be used as it calls on all levels of the organization to participate.

Photo by Yan Krukov on Pexels

To keep everyone informed of the RAM mechanisms in place, Mr. Gallego says organizations can undertake an awareness campaign. To ensure effectiveness, your organization must use language that everyone understands. This will help visualize the risks and their level of severity in relation to the organization.

Aligning RAM to your organization’s strategy and execution is a complicated process. But for Mr. Gallego, it all boils down to what it can do for your organization amid internal and external uncertainties: “If you have a very good risk management process, you will more or less be able to identify things that will really matter to your organization.” He emphasizes that the end goal of risk management is to reduce risks at an acceptable level.

Having Risk Assessment and Management in place is especially helpful to organizations going through the PGS pathway. By putting risk management between your strategy management and performance management, you can evaluate whether your existing targets and measures are attainable against your identified risks. Such iterative assessment can push forward a recalibration or even eliminate specific measures to meet your organizational goals better.


Ready to set up and strengthen your organization’s risk management systems? We at ISA offer the Skills Lab, a capacity development program designed to empower organizations by enhancing diverse skills unique to any organization’s needs to achieve long-term sustainability and success. A Skills Lab course on Risk Assessment and Management awaits you! For more information, don’t hesitate to contact Janine Medina at jmedina@isacenter.org.