Business Risk Assessment Services

Our strategic business risk assessment services evaluate the most important risks, as opposed to the hundreds or thousands of trivial risks that may inherently impact an organization.  The business risk assessment process also includes an evaluation of activities that mitigate or reduce individual risks, called risk response strategies and tactics. Risk response strategies and tactics span a variety of activities from buying insurance to adding skills, training, technologies, and/or instituting defined protocols and procedures. 

Business Strategy and Risk Assessment Process

Business Risk Assessment, as a service, begins with the organization’s strategic plan, an organization chart, and gaining access to operational and financial indicator reports as well as several other sets of information.  A message is typically sent to all participants from the CEO underscoring the importance of the business risk assessment service to be performed and related expectations.  Business Risk Assessments are typically performed in one-on-one interviews.  Assuring and maintaining the anonymity of each and every participant is critical – which is why it is essential to consider utilizing an independent consultant.  Eliminating the fear of retribution better ensures the highest level of transparency and insight from all participants.  

Based upon the input from all participants, a report is drafted that identifies the top 10 to 20 risks that are supported by “contributing factors” and “mitigating activities” which provide context and depth to each important risk identified.  Each important risk is preliminarily plotted on a heat map which gauges the level of impact and probability.  The velocity (i.e., the speed in which a risk can emerge) is also gauged for certain risks.  Often, all participants are gathered for a few hours to discuss the business risk assessment and debate the risks, including their perceived level of impact and likelihood, and the effectiveness of the response strategies employed. Ultimately, consensus should be achieved and each important risk should clearly link with the strategic plan of the organization.

Business Risk Assessment - ERM Exchange Business Risk Assessment - ERM Exchange
Business Risk Assessment Services - ERM Exchange

What Is The Goal Or Outcome Of A Business Risk Assessment?

A greater level of clarity of each risk and the related response strategies. 

Consensus achieved and each important risk and response strategy should clearly link with the strategic plan of the organization.  

A re-allocation of time, energy, and resources for the most important risk response strategies employed.  

An “owner” or “champion” of each risk is identified.  

Communication of emerging risks as well as changes to previously identified risks to senior executive management and the board on a periodic basis. 

Continued understanding of important risks and modified risk response strategies.

Case Study:

Business Risk Assessment Services


Higher Education – Private, liberal-arts university

 $250 million net revenue, mid-Atlantic, private


While the University President and senior leadership team supported the need for risk assessment, pressure from the Board of Trustees stimulated the need for an outside party to facilitate this effort, attributed in part to recent corporate and non-profit governance lapses captured in national and international headlines.


Strategic Business Risk Assessment is primarily conducted through anonymous, one-on-one interviews with all members of the senior leadership team and other key managers from the staff and faculty. 

  • Conducted selected one-on-one interviews of senior managers.  The need to maintain the anonymity of all interviewees was established at the start of each interview.  Interviews were scheduled for 90 minutes, however, most interviewees requested extended time during the interview.
  • Conversational interviews addressed a variety of topics including, but not limited to, the participant’s background and current responsibilities, direct reports, and their responsibilities, employee turnover, current issues and challenges, systems used to support transactional processing, key performance metrics, and departmental initiatives, as well as reassurances, apprehensions, and other concerns regarding a few of the strategic initiatives contemplated by the President.
  • Anonymously surveyed all employees of the university including faculty and staff regarding their understanding of ERM and perceptions of the organization’s risk posture.  Results of the survey were subsequently shared with all employees during a town hall meeting by the President.
  • Upon completion of all interviews, drafted a business risk assessment report that identified the top 16 risks and each risk’s “contributing factors” and “mitigating activities” which provided context and depth to each important risk identified.  Each important risk was preliminarily plotted on a heat map which gauged the level of impact and probability. 
  • The preliminary draft was shared with members of the senior leadership team for their comments and clarification.  After a few clarifications were incorporated, a revised draft was distributed to all interviewees for their consumption. 
  • Facilitated a four-hour group discussion with all interviewees of the draft risk assessment; participants shared their views, perspectives, and suggested edits of the report, the need for additional/different mitigating activities to manage certain risks, and modified the placement of certain risks on the heat map which gauged the perceived impact and likelihood of each risk.  The need for changes to certain mitigating activities consumed much of the discussion.  New, revised, and suggested mitigating activities were captured in the appendix of the risk assessment for further analysis and debate.
  • Prior to the group discussion, the draft risk assessment report presented research regarding ten common “risk factors” and the application of common factors to recent, high profile corporate governance and risk management failures of larger enterprises, as well as smaller organizations.  Asked participants to apply the risk factors to a recent event within the university itself.
  • Facilitated the selection of “risk champions” and their underlying teams to manage, and periodically report changes to such risks, as well as identify emerging risks, to the senior leadership team and the Board of Trustees.
  • Presented an updated draft risk assessment to all members of the Board and the senior leadership team.  The Board requested a periodic (i.e., quarterly) ongoing update of all risks and mitigating activities identified.


COST REDUCTION & DEBT RATING – a report describing the business risk assessment within the enterprise risk management process, including key risks and response strategies that were shared with the bond rating agency contributing to a BBB+ rating (rather than management’s expected BB+ rating) which reduced total bond interest expense by $2.0 million, released over $4 million in previously restricted debt service reserve funds, and contributed to an increase in debt capacity from $30.0 million to $50.0 million.  The business risk assessment services report also contributed to a reduction of insurance premiums paid.

FIDUCIARY RESPONSIBILITY – enabled the Board, which was composed of former CEOs and community business leaders, to meet their fiduciary responsibilities related to risk assessment and risk management.

RE-ALIGNMENT – a re-alignment of several risk response strategies that included the elimination of a costly post-graduate initiative and a re-alignment of capital among several response strategies.

MONITORING – the development of a monitoring program that included the establishment of a part-time internal audit function to evaluate the success of management’s response strategies.

CULTURE – Launched a practical and effective ERM culture to manage risks based upon ten common risk factors.

COMMUNICATION – Identification of individual risk champions and underlying teams thereby improving the identification and communication of important risks.