Home > Risk > How often should you assess risk?

How often should you assess risk?

I recently listened to a new video by my friend, Alex Sidorenko. In How often [should] the risk assessments be performed, he makes some solid points, including:

  • Our environment is volatile and performing risk workshops that take days and result in a risk assessment on an annual basis is not very useful.
  • Even risk assessments that are more frequent, from quarterly to monthly or weekly, can also be out of date when risk is changing every day.
  • The consideration of risk should be integrated into every business process, and performed at the speed of those processes.
  • The consideration of risk should be part of every decision made every day across (my words) the extended enterprise.
  • The risk practitioner needs the tools to help decision-makers consider risk at speed, within minutes if possible.

The comment I left on his related LinkedIn post was that risk should be assessed at the combined speed of risk and of the business. Let me explain:

  • If your organization operates in a very stable environment, then changes may be few and slow to appear. Therefore, the need for considering and assessing what might happen (a far better term than the 4-letter ‘r’ word, risk) arises less frequently.
  • But if either the external or internal environment (context, in ISO language) changes frequently, or if significant decisions are made pretty much daily, then that look forward needs to happen at least as often and as fast as the decisions are being made.

Consider this.

You are running a booth, showcasing your products and services, at a trade show. If the traffic is slow, you can relax to a degree and watch for potential visitors or trade show staff as you drink your coffee. But, if there is a lot of traffic, you have to be on high alert, both for potential customers that you can engage and for trade show staff who might want to curtail your operations because your signage is not in compliance with their rules.

If there is a lot of traffic, you need not only to be watching continuously but you might need to bring in additional resources so you can either seize opportunities or respond to threats.


Unfortunately, Alex’s video doesn’t tell the entire story. (Sorry, Alex).

I encourage everybody to subscribe to and watch his videos because he has an aptitude for challenging traditional practices and making you think. This time, he has good points but there is much more to say on this topic.

  1. His video only focuses on potential harms. If a decision is to be informed and intelligent, it needs to be based on reliable information on both the opportunities and threats. Decision-makers need to be able to balance the ‘risk and reward’ scenarios under each option.
  2. There is value in a periodic assessment of all the potential events and situations that may happen and their potential effect on the achievement of objectives. Changes in one source of risk may mean that the total picture has changed. The change has moved the potential threat (or opportunity) past a tipping point such that the overall situation has become unacceptable.

Let me clarify the second point.

In Making Business Sense of Technology Risk (which I recommend for all practitioners, not just those involved with technology-related risk), I have extended my discussions in earlier books to address the point that you can’t afford to assess individual sources of risk separately.

Here’s an excerpt:

Malcolm Gladwell made the term ‘tipping point’ famous with his 2000 book, The Tipping Point: How Little Things Can Make a Big Difference, although the term has been in use for much longer.

The Merriam-Webster dictionary defines it as:

The critical point in a situation, process, or system beyond which a significant and often unstoppable effect or change takes place

It has a significant meaning, although rarely discussed, when it comes to risk management, specifically when there are multiple sources of risk. Adding one more source of risk, even if it is considered low and acceptable, can change a decision,


Imagine the board is considering the acquisition of CZY Inc. The discussion with the CEO and her team is drawing to a close.

They have reviewed the projected benefits of the acquisition, including the likelihood of each.

They have also reviewed all the risks identified by the executive management team, assisted by the CRO.

The lead independent director comments:

“It looks like a close call. There is a good chance that this will be a success and help us achieve our long term strategies. But, there is no certainty.

“What have we not considered?

“I don’t see anything in here about information security. Would the acquisition increase the risk to our intellectual property or our customer information?”

The CEO turns to the CRO, who replies:

“We looked at cyber risk and how well information security is managed by CZY. While I don’t think it’s up to our standards, they are doing an acceptable job. We should be able to upgrade the combined network’s security to our standards within six months.”

The lead independent director is not pleased.

“I can appreciate that CZY’s cyber security risk may be low and generally acceptable; but when you consider our own cyber situation (which we decided earlier needs improvement), this may be ‘one risk too far’.”

The CEO looks around the table at the directors and summarizes what he sees them thinking.

“Before we considered the additional cyber risk from the acquisition, I was inclined to move forward with it. It was a close call. But, even though the additional risk is small, I am starting to think we should wait. Hopefully, we can address the risks and have another look at the acquisition in six months.”

The cyber risk has taken the total level of risk to and over the tipping point.


Now let’s consider an example in a more dynamic environment.

A customer has just called to say that they would like to delay their $500,000 order for your products by three months. The executive in charge of Sales is considering whether to try to hold the customer to their contract or allow the delay. He determines that if he allows the delay, then the results for the quarter will be affected, but that will be made up in the next quarter and the full year’s revenue and profits will remain as forecast. But, if he holds the customer to the contract, that might impact customer retention and the possibility of further large sales next year. An option is to offer a discount to the customer for proceeding on schedule, but he knows that senior management will be unwilling to accept the reduction in profits.

He decides to allow the customer to delay, but gains their agreement that they will open negotiations for a second major purchase next year.

The trouble is that the executive is not seeing the big picture.

The delay in executing the contract will also impact cash flow. The company has a major construction project that consuming a large amount of funds. The $500,000 delay could create a major problem when considered together with other issues, such as an unexpected increase in payments for vital materials.

The Sales executive doesn’t know that cash flow is tight and a major source of risk to the completion of the construction project – and that project is essential to the achievement of the company’s longer-range plan.

If decision-makers like the Sales executive were able to ‘add’ changes in specific sources of risk to the big picture (one that takes each objective and assesses, after considering what might happen, the likelihood of their success), a different decision might have been made. Even if the same decision was made, additional actions would have been taken to address the increased cash flow risk.


What I am saying is that a change in one source of risk can take the aggregate so-called ‘level of risk’ over the tipping point.


A periodic review that provides leadership with a perspective on whether objectives are likely to be achieved has great value.

  • It can identify the need for strategic and, often, tactical decisions to address the situation – including changing strategies and plans.
  • It enables tactical decisions to be made with a understanding of the big picture and how a change in a single source of risk can affect the aggregate acceptability of the situation.


I welcome your views and comments.


  1. May 3, 2019 at 11:22 AM

    I agree, you added good points. My only argument is that even periodic risk assessments are more meaningful inside the budgeting or planning or KPI process than a separate risk assessment

    • Norman Marks
      May 3, 2019 at 11:27 AM

      Can I say they are more useful when part of the periodic performance management process, because budgeting is typically infrequent?

      • May 3, 2019 at 11:32 AM

        Yes, improving performance management process with the risk assessment is an even better idea

        • Norman Marks
          May 3, 2019 at 1:22 PM

          Can we stop calling them risk assessments? That sounds like you are only looking at the downside

          • May 3, 2019 at 1:24 PM

            Not at all, Norman, risk assessment, in my mind at least, just means the process of understanding how uncertainty affects objective or a decision, either way, downside, upside

            • Norman Marks
              May 3, 2019 at 1:26 PM

              It means that to you, but not to ordinary folk. We need to speak in their language if we seek to be understood.

              • May 3, 2019 at 1:30 PM

                You are right, I argue that is the iso31000 language as well

          • Anonymous
            May 4, 2019 at 1:53 AM

            I believe risk is neutral. I see value in macro and micro assessment. Applying change management as they do in chemical processes, to the attainment of objectives, would be useful. A mechanism for capturing emerging risks (opportunities and threats) would also be useful. Don’t worry too much about the semantics or language of risk as long as you are addressing the upside and downside. Norman you used the term risk and reward in your opening piece.

      • May 3, 2019 at 11:39 AM

        The point I was trying to make in my comment is that once risk management is integrated into some of the key processes the need for an additional periodic risk assessment is often superfluous, because some business processes are periodic and take the helicopter view of the business

  2. John Fraser
    May 3, 2019 at 12:45 PM

    An important topic. There are risk assessments and then there are risk profiles. Profiles, prepared periodically for discussion by mananagement and the board, I liken to financial statements, somewhat obsolete by time of preparing but still useful for discussion and certainly better than nothing (as was the case before ERM). Assessments fall into two categories: periodic and ongoing. Periodic RAs should be done at: business planning time by each department/division etc to justify the need for resources (I.e. no risk means no need for resources to handle the risk); on every major project, before, during and after go-live; for every major type of risk, e,g, environmental, safety etc depending on stated objectives; in addition they can be ad hoc, e.g. during a strike my board asked for a RA assuming the strike lasted another six months. Ongoing assessments are less formal but done by everyone. As CRO, I read three newspapers a day and through my relationship network knew what was happening across the company, the industry and the country. If I or other members of the executive team became aware of any issues these were brought to the next meeting. Occasionally the issue would be so serious that the CEO would be informed immediately and a more formal discussion or RA performed .Apologies but I did try to be brief!

    • May 3, 2019 at 12:51 PM

      Should someone in the company do a risk assessment before an investment decision? What about before deciding on a new price for the product? What about before signing a contract? What about when choosing between buying or leasing equipment? What about before choosing a new supplier?

      • Norman Marks
        May 3, 2019 at 1:24 PM

        As I said in another comment, can we stop calling them risk assessments? We are talking about understanding the alternatives and how they may affect the achievement of objectives,

        • John Fraser
          May 3, 2019 at 1:33 PM

          Risk assessments (which can take many forms of information gathering and compilation, including risk workshops, interviews, simulations etc etc) are a generic and easily understood term, even if not always done well. What term would you suggest, Norman, in simple form that would be better? I do a RA every time I cross the road or make an investment or buy a lottery ticket.

          • Norman Marks
            May 3, 2019 at 2:26 PM

            I prefer to talk about understanding what might happen.

  3. John Fraser
    May 3, 2019 at 1:06 PM

    Absolutely. I should have been more detailed, by project I intended all of the above. I am always amazed at boards that do not request RAs e.g. When opening a new business or going into new countries. I doubt that Target did any such thing before their disastrous venture into Canada (possibly the worst launch of a business in a different country in history!)

    • Norman Marks
      May 3, 2019 at 1:25 PM

      How many boards ask for an assessment of the RANGE of potential rewards and their likelihood? Even if they consider the downside, they don’t exercise discipline over the upside.

  4. Kaya Kwinana
    May 3, 2019 at 9:01 PM

    On appointment, every executive head of an organisation must set up sufficiently adequate internal control processes to provide reasonable assurance that organisational objectives will be achieved. Adequate internal control requires that there must be someone who has individual responsibility for each respective internal control process.

    At the heart of the scenarios identified in the article are deficiencies in the content and execution of responsibilities for two internal control/risk management processes, objective setting and risk identification, resulting in the buck-passing witnessed there.

    Objective setting is a responsibility of a boss and its output is specific arguments for the parameters of all the criteria of each specified objective.

    Risk identification is a responsibility of a subordinate and its output is a risk (opportunity and/or threat) addressing each of the arguments mentioned above.

    Any involvement by anyone or any additional structures in these responsibilities must be only at the request of the person responsible for that particular process and explicitly on an advisory basis unless the purpose is to avoid individual responsibility and to pass the buck.

    The only trigger for a relook at attendant risks is any change, however rare or frequent, in the articulation of, or insight into, any part of a criterion specified by the boss, one objective at a time, one area of responsibility at a time, by the appropriately responsible people.

  5. Osama S.
    May 4, 2019 at 1:42 AM

    I had just raised a similar question on Linkedin. I’m in agreement with the post and all the comments. The only addition is that we could use the results of these periodic assessments to double check our process i.e. if we catch new risks we ask ourselves if we should have been able to catch that risk earlier and if so then investigate why we didn’t.

    • Norman Marks
      May 6, 2019 at 6:43 AM

      Why limit yourself to spotting threats and not opportunities? Why not recognize that there is almost always a combination of good and bad potential effects?

  6. Anonymous
    May 5, 2019 at 2:40 AM

    Hi Norman my post was shown as anonymous I am happy to be shown as Sean Coleman

  7. Anonymous
    May 6, 2019 at 6:27 AM

    Terminology of Risk Assessment has been clearly defined under ISO31000 yet there are many experts to have their own definition, guess they think their standing in the Risk Management fraternity are on the top. It creates confusion especially when the developing countries trying to catch up. Periodic review should be focus on the controls of the identifies risks where under current conditions additional controls or remove of obsolete controls. Our business world is so dynamic filled with so many uncertainties like the China and USA trade war the outcome is so unpredictable because the tweets are always different, going fine and then impose higher tariff. Those experts in RM, what have you got to say on this issue, it has great impact to the world economy.

    • Norman Marks
      May 6, 2019 at 6:45 AM

      Can the trade war and tariffs present opportunities? Can an organization that has factories in multiple locations not only suffer but benefit?

      • Gary Lim
        May 8, 2019 at 6:09 AM

        Good questions, the problem is that the RM experts don’t talk about this trade war between them, where are the opportunities and threats as a MNC operating in China. Often I read are theoretical cases and the often quoted about opportunities of a risk but cannot provide ACTUAL examples. My previous company MNC said that when scanning their documents companywide has created opportunities of quick response to the clients inquiries which is true then the threats of unauthorized access to the files which I mentioned, ignored then later agreed was a threat hence another risk. Gary

  8. Gary Lim
    May 6, 2019 at 6:29 AM

    Forgot to insert my email on the above

  1. May 7, 2019 at 1:27 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: