Identifying and evaluating risk across the business

The following Risk & Compliance practice note provides comprehensive and up to date legal information covering:

  • Identifying and evaluating risk across the business
  • What is risk?
  • Establish the organisation's risk appetite
  • Gather risk information from internal stakeholders
  • Review available risk information to identify risks
  • Evaluate and record risks

Identifying and evaluating risk across the business

Lawyers generally have a reputation among business people for being risk averse. In-house lawyers cannot be excessively risk averse—they have to embrace risk, knowing how to identify it and acting appropriately. If not, they will become an unnecessary obstruction in their organisation, stopping legitimate business initiatives and alienating themselves from their business colleagues.

In-house lawyers and compliance professionals work with legal risk all the time. To add maximum value to your business you should also participate in the assessment and management of your organisation's non-legal risks.

This Practice Note provides guidance on how to identify and evaluate risk across your business. Managing risk is not a one-off event, it is an ongoing process, as illustrated below:

This Practice Note covers the following stages from the lifecycle:

  1. establish the organisation's risk appetite—see Precedent: Risk appetite statement

  2. gather risk information from internal stakeholders—see Precedent: Risk questionnaire

  3. review available risk information to identify risks—see Precedent: Risk audit

  4. evaluate and record risks—see Precedent: Risk register

What is risk?

There is a widely accepted definition of risk, ie:

Risk = impact x probability

So, for any given risk faced by your business, there are two questions:

  1. if that risk materialised, how bad would it be, ie what’s the impact?

  2. how likely is it that the risk will materialise, ie what’s the probability?

A risk register is a way

Popular documents