Risk assessment

Evaluating, measuring and managing risk and opportunity is important, particularly human capital risks.

Organisations that are managing risks are able to understand the current operations risks and anticipate future challenges and opportunities and the way people and the business model interact to deliver value for all stakeholders.

In developing a risk management framework for identifying and managing risks, there are 2 key domains:


Operational management identifies, assesses, controls and mitigates risks, guiding the development and implementation of internal policies and procedures and ensuring that activities are consistent with goals and objectives.

Operational managers own and manage risks. They are responsible for implementing corrective actions to address process and control deficiencies. Operational management is responsible for executing risk and control procedures on a day-to-day basis. Through a cascading responsibility structure, mid-level managers design and implement risk management and compliance procedures that serve as controls and supervise execution of those procedures by their employees.

A risk management and compliance function (board committee) facilitates and monitors the implementation of effective risk management practices by operational management and assists risk owners in defining the target risk exposure and reporting adequate risk-related information throughout the organisation, as to ensure compliance with applicable laws (such as HR management, health and safety, supply chain, environmental, or quality monitoring) and regulations. In this capacity, the risk management and compliance function, reports to senior management. A control function monitors financial risks and financial reporting issues. The responsibilities of these functions vary on their specific nature, but can include:

  • Providing risk management frameworks for identifying and managing known and emerging issues;
  • Identifying shifts in the organisation’s risk appetite;
  • Assisting management in developing processes and controls to manage risks;
  • Supporting management policies, defining roles and responsibilities, and setting goals for implementation;


Internal auditors provide senior management with impartial assurance on the effectiveness of governance, risk management and internal controls. The scope of this assurance usually covers:

• efficiency and effectiveness of operations; safeguarding of assets; reliability and integrity of reporting processes; and compliance with laws; regulations, policies, procedures, and contracts.
• all elements of the risk management and internal control framework, which includes: internal control environment, all elements of an organisation’s risk management framework, (risk identification, risk assessment and response), information and communication, and monitoring; and
• the operating units and functions – including business processes, such as sales, production, marketing, safety, customer functions and operations, as well as supporting functions (such as HR, payroll, IT, infrastructure and asset management).

Best practice is to establish and maintain an independent, adequately and competently staffed internal audit function, acting in accordance with recognised international standards for the practice of internal auditing.

External auditors, regulators and other external bodies outside the organisation’s structure, can have an important role in the organisation’s overall governance and control structure. External audit findings enable an organisation to strengthen the controls, while providing assurance to the organisation’s stakeholders, including the board and senior management.

The risk management process

Risk management is a continuous activity.

Having a risk management process means that your organisation is aware of the risks to which you are exposed, and that it has assessed the risks and has strategies in place to mitigate the likelihood of the risk happening or minimise damage in the event that something occurs.

What can go wrong?

How do we prevent the harm from occurring and how do we respond to the harm or loss if it actually takes place?

1. Identify the risks

Consider both the general risks and the risks specific to your organisation.

Risks can be:

    • Financial
    • Reputation/goodwill
    • Abuse (physical, emotional, psychosocial, sexual, financial)
    • Personal injury
    • Medical
    • Environmental
    • Company Property / Assets / Infrastructure
    • Various other

2. Assess the risks

The next step is to assess each of the risks based on the likelihood or frequency of the risk occurring and the severity of the consequences.

A risk map that plots the likelihood of occurrence and the severity of the consequences can help you prioritise and choose to accept the risks that are part and parcel of the nature of the business.

3. Develop strategies for managing risks

Consider the most effective risk management strategies for each identified risk. Modify or change the risk contributing activities as to reduce the likelihood of the risk occurring or contain the severity of the consequences. Consider transferring part of the risk to an outsourcing service provider to share the risk.

4. Implement & Monitor

When you have decided which risk management strategies will be the most effective and affordable for your organisation, chart who is responsible for each step in the risk management plan, communicate the plan and provide training in reinforcing the expectations, procedures, and reporting to support monitoring and documenting any changes to the plan.

  • Is the plan working?
  • Are people following the risk management plan?
  • Do we need to better communicate the plan?
  • Have risks changed?
  • Are changes, updates or re-training required?

Risk management is an evolving activity.  Therefore, it is a good practice to re-evaluate your organisation’s risk management plan on an annual basis.


Developing an HR risk management Plan

Organisations need to incorporate risk management into all planning and decision-making. However, the focus here is risk management as it applies to HR activities. People data can be used to describe both the value that is created through people management, HR and finance activity, and help deal with the potential risks that organisations may face.

When developing a risk management plan for your HR activities, there are a number of areas to focus on:

HR Activity Potential Risk Potential considerations
Payroll and benefits
  • Financial abuse
  • Who has signing authority?
  • How many signatures are required?
  • Are there internal audit procedures / checks and balances?
  • Discriminatory practices
  • Hiring unsuitable candidates
  • Was a complete screening completed on potential candidates?
  • Is there a set probationary period?
  • Were promises made to the candidate that cannot be honoured?
  • Did the employee sign off on the policies and contract of employment before being hired?
Occupational Health and Safety
  • Environmental
  • Personal injury or death
  • Do we have adequate policies, procedures in place?
  • Do we provide safe working conditions, appropriate clothing and safety equipment, and do we conduct safety checks regularly?
  • Do we provide adequate training for staff?
Orientation, Employee conduct & Employee supervision
  • Abuse
  • Leak of personal information
  • Do we have comprehensive policies and procedures?
  • Do we provide an employee handbook?
  • Do we provide sufficient orientation and training and supervision?
  • Do we have a performance management system in place?
  • Do we retain written records of performance issues?
  • Do we have clearly written job descriptions for all positions?
  • Do we follow up when attributes of the job description are not respected?
  • Do we ensure that organisational assets are secure?
  • Do we have cash management procedures?
  • Do we have adequate harassment policies and procedures?
  • Are personal information protection guidelines followed?
Exiting employee
  • Company Property
  • Compensation
  • Do we retrieve organisational information and equipment that a dismissed employee used?
  • Do we ensure that all access codes, passwords, are de-activated?
  • Do we conduct an exit interview?
  • Do we record holiday balances?


There is a connection between risk management and liability.

Therefore, it is very important to obtain legal advice about your risk management plan


For more information about managing risk and creating value, visit the CIMA website:

CIMA Global

For detailed research on risk management and resilience see the Airmic research:

Roads to Resilience – Building dynamic approaches to risk to achieve future success