- You are here:
-
- Home >
- Regulatory guidance >
- Internal controls >
- An example of the scheme risk-management process >
- Assess risks .
Regulatory guidance
Internal controls
 .
|
 .
|
 .
|
 .
|
Assess risks
Purpose
The purpose of this stage is to assess each risk on the risk register and categorise it depending on its impact and likelihood of occurring. This assessment will help inform your subsequent decisions on whether an appropriate control needs to be established to mitigate that risk or whether improvements need to be made to existing controls.
Description
You will need to take each risk recorded on the risk register and make an assessment of its severity in order to decide which ones require mitigating action.
There are a number of ways of categorising a risk. One method is to consider each identified risk and decide what the likelihood is of the risk occurring along with the severity of the impact on the scheme's objectives (as defined at the beginning of the risk-management process) if it did occur.
It can help to use a chart, such as below, when making the risk assessment.
| Likelihood of occurrence (Chance of happening) |
High likelihood Low severity of impact |
High likelihood High severity of impact |
|
Low likelihood Low severity of impact |
Low likelihood High severity of impact |
|
|
Level of severity of impact on the scheme (for example, the financial cost to the scheme) |
||
This chart attempts to map risk using the likelihood of an undesirable outcome and the impact that an undesirable outcome will have on the scheme's ability to achieve its operational objectives. This process enables the trustees to identify those risks which fall into the major risk categories. Our example has only two divisions on each axis, low and high, but you may choose to have more.
Risks are categorised into red, amber and green (R, A, G). In the green zone, the exposure to risk is considered to be within the acceptable level (as established at the previous stage of the process).
A risk falling into the amber zone is not considered to be one that is an immediate threat to members' interests. However, this does not mean that no action need be taken as it is important that amber risks are monitored and prevented from becoming red risks.
Those falling into the red zone are thought to provide a critical exposure to risk requiring immediate action. Red risks have a high likelihood of occurring, and when they do, would have an impact on the operational performance, objectives or reputation of the scheme. They may also involve a breach of legal requirements.
Having assessed each risk against this chart, you will need to update the risk register with your assessment.
Outcomes
Each risk has been assessed for likelihood and impact and then classified as either red, amber or green. This will provide the foundations for preparing an effective action plan. The assessment has been recorded in the risk register.
|
.
|
.
|
.
|
| Related pages |
|---|
| Code of practice 09: Internal controls |
| Related documents |
|---|
| Codes-related guidance: internal control (PDF) |
| Example risk register (PDF) |
| Legislation |
|---|
| The Occupational pension schemes (internal controls) regulations |