The Problem with "It Feels Risky"
Ask any operations leader which processes keep them up at night and you'll get an answer in seconds. Ask them why those processes are risky, and you'll get a pause. A long one.
Most organizations run on instinct when it comes to process risk. The payroll process feels critical because it touches money. The data pipeline feels risky because it broke last quarter. The compliance reporting process feels important because the regulator called once.
Instinct isn't wrong. It's just not scalable. When you have 50 processes, gut feeling works. When you have 500, you need a framework. And when a board member asks "what's our risk exposure across the process landscape?" — you need numbers, not narratives.
What Process Risk Assessment Actually Is
Process risk assessment is the systematic evaluation of what could go wrong in a business process, how likely it is, and how bad it would be. It's built on a deceptively simple formula that governance professionals have refined over decades:
Inherent Risk = Likelihood x Impact
That's it. Two dimensions, multiplied together, producing a score you can compare across every process in your organization.
But the real power comes from what happens next: you layer in your controls — the policies, standards, and procedures that mitigate risk — and calculate what's left over.
Residual Risk = Inherent Risk - Control Effectiveness
The gap between inherent and residual risk? That's the value your governance program delivers. If you can't quantify that gap, you can't justify your governance budget.
The Likelihood-Impact Matrix
The 5x5 risk matrix is the workhorse of risk assessment. It maps five levels of likelihood against five levels of impact, producing risk scores from 1 to 25.
Likelihood levels range from Rare (could happen only in exceptional circumstances) to Almost Certain (expected to occur frequently). The key is to assess probability based on evidence: has this happened before? How often does it occur in your industry? Are conditions changing?
Impact levels range from Negligible (barely noticeable) to Severe (threatens business continuity). Always assess impact across multiple dimensions — financial, operational, reputational, regulatory, and safety — and use the highest as your rating.
The matrix produces four risk bands:
- Low (1-4): Monitor during routine reviews
- Medium (5-9): Ensure controls are adequate
- High (10-15): Active management required
- Extreme (16-25): Immediate action needed
The visual matrix does something spreadsheets can't: it shows you the entire risk landscape at a glance. When your board sees a heat map with clusters of red in the top-right corner, the conversation about risk investment writes itself.
Inherent vs. Residual: The Two Numbers That Matter
Inherent risk is your raw exposure — the risk before any controls exist. It answers: "If we did absolutely nothing to manage this process, how exposed are we?"
This sounds theoretical, but it's practically important. Inherent risk stays relatively stable over time (unless the process itself changes), which makes it a reliable baseline for comparison.
Residual risk is your actual, real-world exposure after controls are applied. It's what you're living with right now.
The relationship between these two numbers tells a powerful story:
- High inherent, low residual: Your controls are working. Well-governed process.
- High inherent, high residual: Controls are insufficient. Investment needed.
- Low inherent, low residual: Low-priority process. Don't over-invest.
- Low inherent, high residual: Something is wrong with your assessment. Revisit.
Control Effectiveness: Where Governance Meets Risk
Controls are the policies, procedures, and mechanisms that reduce risk. In a governance platform, the statements your processes adopt are the controls.
Control effectiveness isn't binary. A policy that exists in a document library isn't the same as a policy that's actively enforced, regularly tested, and continuously improved. We use four levels:
- None: No controls in place. You're flying blind.
- Weak: Controls exist but are informal or inconsistent. Paper governance.
- Adequate: Controls are documented and implemented with some gaps. Working governance.
- Strong: Controls are mature, tested, and monitored. Governance as a competitive advantage.
The reduction percentages — 0%, 25%, 50%, 75% — are deliberately conservative. Even "strong" controls don't eliminate risk entirely. The remaining 25% represents the irreducible uncertainty that exists in any complex system.
Risk Trend: The Direction Matters
A process with "High" residual risk that's trending downward is very different from a "Medium" risk that's trending upward. Direction tells you where to focus attention.
Track trends quarterly at minimum, and update whenever significant changes occur — control improvements, incidents, regulatory shifts, organizational restructuring.
Why This Matters Now
Regulatory pressure on process governance is intensifying. DORA requires financial institutions to assess ICT risk at the process level. SOX demands control effectiveness documentation. ISO 27001:2022 explicitly requires organizations to assess risks associated with business processes.
The organizations that can quantify their process risk — not just identify it — will have a decisive advantage in audit preparation, board reporting, and regulatory response.
Getting Started
If you're new to process risk assessment, start simple:
- Map your processes — You can't assess risk on processes you haven't identified
- Assess your top 10 — Start with the processes everyone agrees are important
- Be honest about controls — Overrating control effectiveness is the most common mistake
- Compare and prioritize — The matrix reveals where your attention should go
- Review quarterly — Risk isn't static; your assessments shouldn't be either
The goal isn't perfection on day one. It's building the muscle of systematic risk thinking across your organization.
Dictiva's Process Universe includes built-in risk assessment with interactive likelihood-impact matrices, control effectiveness scoring, and computed residual risk. See the full Risk Assessment Guide for detailed methodology.