Author: Manu Steens
This method is in line with the COSO-ERM approach when it comes to setting the objectives of the company and identifying both static and dynamic risks throughout the entity.
The structure is a matrix that is shaped by, on the one hand, the objectives (Strategic and operational objectives) and, on the other hand, possible internal and external factors, the quick scan.
This matrix approach promotes the completeness of the risk identification and provides a structure for the organization of the risks.
More specifically, this ‘risk matrix’ looks like the one shown below:
|nr||Aspects Quick Scan findings||Risks: mention the incidents, their probability, cause and consequence|
|5||Human Resources Management|
|7||Information and communication|
|10||Information and communication technology|
By filling in this matrix, the CRO answers three essential questions:
- Which objectives of the entity are subject to research?
- Which parts / aspects of the organization are the subject of research?
- In which risks is further insight required?
In a first step, the potential risks to which the entity is exposed are examined on the basis of a quick scan.
As a second step, the CRO will have to systematically check with the business which of the risk problem fields identified in the quick scan occur in its company and which require further investigation. For this he must question the internal and external experts and the management team in question.
The development of a quick scan can usually be done by conducting a survey with the experts, which they generally view as realistic risks in relation to the aspects of the guideline. This can be supplemented with a desk research using annual reports, audit reports, risk inventories of occupational safety, fire prevention plans, continuity plans, incident registrations, damage history including registration of near damage.
Afterwards the matrix is ”weighted” with regard to the quick scan in step 2, whereby it must be clearly chosen which risks have a grip on which strategic and operational objectives. In periodic interviews with the management team, the company then asks which risks they see, how these risks affect the organization and what is done to control them. An approach of existing control measures can already be included in the quick scan.