While each firm has its own risks scoring guide, most firms will follow common guidelines, such as suggested by IOSCO on the Risk Identification and Assessment Methodologies for Securities Regulators.
This article includes examples of risk scoring matrices used for Impact (inherent or gross risk – described in our section Risk Register), Likelihood (or probability), and the scoring of respective mitigating Controls, both in terms of design as well as performance of the defined controls.
As discussed in a previous post, visual representation of risks scores is a useful way for risk managers to complement their risk management reports. As part of the identification and assessment of risks in a firm, a risk manager will record entries in a risk register, rating each risk individually in terms of Impact, Likelihood and mitigating Controls. The example below uses a four grade scoring for each of these dimensions (some firms use five as discussed in this article).
Risk Scoring example for Impact and Likelihood (or Probability)
Control Scoring Guide for Design and Performance
Residual Risk Scoring Matrix
The assessment of risks assumes that controls which fail to perform or are not in place, therefore leaving the risk unmitigated, introduce the concept of inherent or gross risk. All risks are scored on both impact and likelihood and the combined score determines which area of the residual risk matrix it falls into (see matrix below). Usually firms will follow a rule that explicitly determines that if a risk falls into the very high inherent range, it must have at least one key control that is, as a minimum, strong in design and strong in performance otherwise it falls into the category of requiring improvement and will have an action point logged against it and assigned to an owner.
This process of determining residual risk is based on the control effectiveness and allows for thematic reviews on risks that fall into specific categories. All risks that fall into the very high category and fail to have at least one key mitigating control that is strong both in design and performance will be flagged and communicate by the risk manager on the reporting of risk management information. The VH/H risks can also be flagged using a heat map as explained in article “How to create a Risk Heatmap in Excel – Part 1“.