Once the risks of Compliance of the organization, you must proceed to analysis and evaluation or assessment. To do this, you must know the inherent risk and the residual risk of each of the risks that we find in the risk map of our organization.
The main objective of risk management Compliance is better understand risk exposure so that informed decisions can be made about risk management. Taking this into account, the applied methodology of risk analysis and evaluation of Compliance will be adapted to each organization and will include as many elements as the Compliance Officer consider and the Administrative Body approves. Therefore, we must keep in mind that this exercise is unique for each company and will depend on factors such as the industry, size, location, etc..
In accordance with the provisions of ISO 31000 Risk Management: “Risk analysis can be performed with different degrees of detail and complexity, depending on the purpose of the analysis, the availability and reliability of the information and resources available (…) The risk analysis should consider factors such as:
- The probability of events and consequences;
- The nature and magnitude of the consequences;
- Complexity and interconnection;
- Factors related to time and volatility;
- The effectiveness of existing controls;
- The levels of sensitivity and trust.”
On the other hand, ISO 31000 itself tells us that the objective of risk assessment is “support decision making. “Risk assessment involves comparing the results of the risk analysis with established risk criteria to determine when additional action is required.”
Therefore, during the risk analysis and assessment, we will determine the probability that risks materialize and the consequences that the organization would have to face in this case. This forecasting exercise will inevitably be carried out taking into account the level of inherent (also called gross) and residual (or net) risk of each of the risks that make up the organization's risk universe.