Risk assessment is the process of analyzing operational, financial and reputational risks (including the risk of fraud) that encompasses the identification of the reasons for the risk and control mechanisms implemented to manage risk. Risk assessment allows the Company/Group to analyze the extent to which potential events could impact the fulfillment of its objectives.
Risks are assessed from two perspectives:
- Assessment of effects of the risk on the activity of the Company/Group,
- Assessment of the probability that a risk event will occur.
After risk assessment, the Management Board decides on its risk response: whether it accepts its current level or if certain measures must be taken to reduce it (introduction of control mechanisms).
The assessment of effects reflects the consequences of a risk for the activities of the Company/Group.
On the other hand, probability is the possibility that an event may occur that may have an adverse effect on the fulfillment of the Company’s/Group’s business objectives. Where possible, the probability is calculated on the basis of data on the past events, which, as opposed to subjective estimates, constitute an objective basis for assessing probability. Where such assessment is not possible, the estimation of probability is based on expert knowledge of the risk owner and the individuals involved in the risk assessment and measurement process.
During risk assessment, the Company/Group also considers the notion of inherent and residual risk. Inherent risk combines the probability of an event and its consequences in a situation where no risk management measures are taken (no control mechanisms implemented in this respect). Residual risk is the risk level after the Company implements a risk management strategy, assuming that the control mechanisms, including policies, procedures and controls, work effectively.
After all the risks are identified, the group prepares a consolidated register of risks, which contains only the information (risks) that is the most critical from the group’s point of view, i.e.: