Cours : ENTERPRISE RISK MANAGEMENT (ERM)/ Niveau: (AFC) 2025-2026 Par: TCHIENGANG D.
PEGUY R.
Page 1 sur 8
CHAPTER 3: RISK IDENTIFICATION AND
ASSESSMENT TECHNIQUES
1. Introduction
Risk identification and assessment are core components of the Enterprise Risk Management (ERM) process.
They allow an organization to systematically:
Recognize potential threats and opportunities,
Evaluate their likelihood and potential impact, and
Prioritize responses consistent with the company’s risk appetite and strategic objectives.
In the Cameroonian context, this process is particularly relevant due to factors like economic volatility, infrastructure
gaps, regulatory uncertainty, and currency fluctuations within the CEMAC region.
2. Risk Identification
2.1 Definition
Risk identification is the systematic process of recognizing potential events, internal or external, that may affect an
organization’s ability to achieve its objectives.
It is the first and most critical step in risk management because unidentified risks cannot be managed or mitigated.
2.2 Objectives of Risk Identification
To build a comprehensive inventory of possible risks (risk register).
To identify root causes and sources of those risks.
To distinguish between controllable and uncontrollable risks.
To enable early warning and preventive action.
2.3 Common Tools and Techniques for Risk Identification
A. Brainstorming
Definition:
A structured group discussion used to generate a wide range of potential risks through open dialogue among managers,
employees, and subject experts.
Steps:
1. Define the objective or process under review.
2. Gather a diverse team (finance, operations, HR, audit, etc.).
3. Encourage open sharing of potential risk scenarios.
4. Categorize risks (strategic, operational, financial, compliance).
5. Document and evaluate.
Example (Cameroon):
Commercial enterprise:
At Guinness Cameroon S.A., management teams may brainstorm possible risks before
launching a new product — for instance, supply chain disruptions due to poor road infrastructure or regulatory
changes in alcohol advertising.
Financial institution:
Afriland First Bank Cameroon may conduct brainstorming sessions to identify credit
default risks when expanding loan portfolios to SMEs in unstable regions (e.g., Northwest/Southwest).
B. Checklists and Risk Catalogues
Cours : ENTERPRISE RISK MANAGEMENT (ERM)/ Niveau: (AFC) 2025-2026 Par: TCHIENGANG D.
PEGUY R.
Page 2 sur 8
Definition:
Checklists summarize known risks from prior experience or industry standards to ensure that common threats are not
overlooked.
Sources:
Internal audit reports
Industry risk databases (e.g., Basel Committee for banks)
ISO 31000 risk management standards
Advantages:
Efficient and systematic
Builds on historical experience
Ensures no “obvious” risks are missed
Limitations:
May ignore emerging or new risks unique to current operations
Example (Cameroon):
Commercial enterprise:
CIMENCAM (LafargeHolcim Cameroon) uses checklists to review operational risks
such as raw material shortages, equipment failure, or regulatory compliance in environmental standards.
Financial institution:
Commercial Bank of Cameroon (CBC) employs checklists to evaluate credit, market, and
operational risks as required under COBAC (Banking Commission of Central Africa) regulations.
C. Risk Mapping (Risk Register and Risk Matrix)
Definition:
Risk mapping visually represents risks according to their probability and impact on a two-dimensional matrix, facilitating
prioritization.
Impact ↓ / Likelihood →
Low
Medium
High
High Impact
Moderate Risk
Major Risk
Critical Risk
Medium Impact
Low Risk
Moderate Risk
Major Risk
Low Impact
Minimal Risk
Low Risk
Moderate Risk
Example (Cameroon):
Commercial enterprise:
Cameroon Development Corporation (CDC) may map agricultural risks such as crop
disease (high likelihood, high impact), labor unrest (medium likelihood, high impact), and currency fluctuation
(high likelihood, medium impact).
Financial institution:
Ecobank Cameroon may identify and map risks such as cyber-attacks (medium likelihood,
high impact), loan defaults (high likelihood, high impact), and regulatory fines (low likelihood, medium impact).
D. SWOT and PESTEL Analysis
Definition:
SWOT (Strengths, Weaknesses, Opportunities, and Threats): Used to identify internal weaknesses and
external threats.
PESTEL (Political, Economic, Social, Technological, Environmental, and Legal): Identifies external risk
drivers.
Example (Cameroon):
Commercial enterprise:
MTN Cameroon uses PESTEL to assess risks like changes in telecom taxation (Political),
inflation (Economic), and cyber security vulnerabilities (Technological).
Financial institution:
National Financial Credit Bank (NFCB) applies SWOT to evaluate internal weaknesses such
as limited digital infrastructure and external threats such as fintech competition.
E. Interviews and Questionnaires
Structured interviews with department heads or surveys can uncover hidden risks that may not surface in group
brainstorming.
Cours : ENTERPRISE RISK MANAGEMENT (ERM)/ Niveau: (AFC) 2025-2026 Par: TCHIENGANG D.
PEGUY R.
Page 3 sur 8
Example (Cameroon):
Banks often interview branch managers to identify operational and fraud risks.
Manufacturing firms interview production supervisors to understand process bottlenecks.
F. Historical Data and Loss Analysis
Past incident data can indicate recurring or systemic risk patterns.
Example:
Société Anonyme des Brasseries du Cameroun (SABC) tracks past supply chain disruptions during rainy
seasons to forecast future logistic risks.
BICEC Bank reviews loan default patterns by region to identify credit risk concentration.
3. Risk Assessment
Once risks are identified, risk assessment evaluates their magnitude, probability, and potential consequences to
prioritize mitigation.
3.1 Objectives
Determine which risks matter most (materiality).
Support decision-making on resource allocation.
Facilitate integration into the ERM framework.
3.2 Aproaches to Risk Assessment
A. Qualitative Risk Assessment
Definition:
A descriptive, non-numeric approach focusing on expert judgment and relative ranking.
Tools:
Risk matrices (impact vs. likelihood)
Risk ranking or heat maps
Scenario discussions
Advantages:
Simple, fast, easy to communicate
Suitable when data is scarce
Example (Cameroon):
Commercial enterprise:
Camair-Co (Cameroon Airlines) qualitatively ranks risks such as fuel price volatility
(high), flight cancellations (medium), and labor disputes (medium).
Financial institution:
UBA Cameroon uses qualitative assessments to rate operational risks (fraud, internal
control lapses) on a scale of Low, Medium, or High, based on past audit findings.
B. Quantitative Risk Assessment
Definition:
A numerical or data-driven evaluation that measures risk using statistical or financial models.
Techniques:
1. Probability and Impact Analysis: Estimating expected loss = Probability × Impact.
2. Sensitivity Analysis: Evaluates how changes in one variable affect outcomes.
3. Value at Risk (VaR): Common in banking — estimates potential portfolio loss over a given time frame and
confidence level.
4. Stress Testing / Scenario Analysis: Simulates extreme but plausible conditions (e.g., economic shocks).
Advantages:
Objective and data-supported
Facilitates risk-based capital allocation
Limitations:
Requires data availability and expertise
Cours : ENTERPRISE RISK MANAGEMENT (ERM)/ Niveau: (AFC) 2025-2026 Par: TCHIENGANG D.
PEGUY R.
Page 4 sur 8
May overlook qualitative factors (e.g., reputation)
Example (Cameroon):
Financial institution:
o SCB Cameroun (Société Commerciale de Banque) uses Value at Risk (VaR) to measure potential
market losses from exchange rate movements between XAF and USD.
o COBAC regulations require Cameroonian banks to conduct stress testing to evaluate capital
adequacy under adverse scenarios (e.g., drop in oil prices affecting loan recoveries).
Commercial enterprise:
o Dangote Cement Cameroon applies sensitivity analysis to estimate how fluctuations in fuel prices or
exchange rates impact production costs and profit margins.
o ENEO Cameroon performs quantitative assessments to determine financial losses from electricity
theft and distribution network failures.
4. Integration of Identification and Assessment
Risk identification feeds directly into assessment — together they produce a Risk Register, typically including:
Risk
ID
Risk Description
Source
Likelihood
Impact
Category
Mitigation Strategy
R1
Fuel price increase
affecting logistics
External (Market)
High
High
Financial
Negotiate fixed-rate
contracts
R2
Credit default by SMEs
Internal/External
High
Medium
Financial
Strengthen credit
scoring
R3
Cyber-attack on digital
banking platform
External
(Technological)
Medium
High
Operational
Upgrade cyber
security and train
staff
5. Challenges of Risk Identification and Assessment in Cameroon
1. Data Limitations: Lack of reliable financial and operational data for quantitative assessment.
2. Weak Risk Culture: Limited awareness and training in ERM within SMEs.
3. Regulatory Uncertainty: Frequent tax or policy changes.
4. Infrastructure and Technological Gaps: Affect data collection and monitoring.
5. Political and Security Risks: Particularly in conflict-prone regions (Northwest/Southwest).
6. Practical Case Studies (Cameroon)
Case 1: Afriland First Bank Cameroon
Situation: Increase in non-performing loans (NPLs).
Identification: Using checklists and credit portfolio analysis to spot high-risk sectors (real estate, agriculture).
Assessment: Quantitative analysis using probability of default (PD) and loss given default (LGD).
Outcome: Improved credit screening and diversification reduced NPL ratio by focusing on SME risk training.
Case 2: Guinness Cameroon
Situation: Risk of supply chain disruption during rainy seasons.
Identification: Brainstorming sessions and historical data analysis.
Assessment: Qualitative risk matrix (high likelihood, medium impact).
Outcome: Developed supplier diversification and warehousing strategy to mitigate delays.
7. Conclusion
Effective risk identification and assessment form the foundation of a robust ERM framework.
By combining qualitative judgment and quantitative analysis, enterprises and financial institutions in Cameroon can:
Anticipate emerging risks,
Cours : ENTERPRISE RISK MANAGEMENT (ERM)/ Niveau: (AFC) 2025-2026 Par: TCHIENGANG D.
PEGUY R.
Page 5 sur 8
Strengthen internal controls, and
Align risk-taking with strategic objectives.
As the Cameroonian business environment evolves under digitalization, regional integration, and environmental pressures,
organizations must continually refine their risk identification and assessment tools for resilience and sustainability.
Probability–Impact Matrix and Risk Appetite & Tolerance
1. Introduction
In Enterprise Risk Management (ERM), organizations must evaluate, prioritize, and decide how much risk they are willing
to accept.
Two important tools support this process:
1. The Probability–Impact Matrix (PIM) – for assessing and ranking risks.
2. Risk Appetite and Tolerance – for defining acceptable risk boundaries.
These tools ensure that decision-makers balance risk exposure with strategic objectives, resource allocation, and
stakeholder expectations.
2. Probability–Impact Matrix (PIM)
2.1 Definition
The Probability–Impact Matrix, also known as a Risk Heat Map, is a visual tool used to evaluate and prioritize risks
based on two key dimensions:
Probability (Likelihood): The chance that a risk event will occur.
Impact (Severity): The magnitude of consequences if the risk event occurs.
Each risk is assessed qualitatively or quantitatively and placed in a grid (matrix) to identify which risks require immediate
attention.
2.2 Structure of a Probability–Impact Matrix
Impact ↓ / Probability →
Low (1)
Medium (2)
High (3)
High (3)
Moderate Risk
Major Risk
Critical Risk
Medium (2)
Low Risk
Moderate Risk
Major Risk
Low (1)
Minor Risk
Low Risk
Moderate Risk
Color Coding (Typical):
� Green: Low risk – acceptable/manageable.
� Yellow: Moderate risk – monitor closely.
� Red: High risk – requires urgent mitigation or control.
2.3 Steps to Construct a Probability–Impact Matrix
1. Identify risks: Using techniques such as brainstorming, checklists, or risk mapping.
2. Define rating scales:
o Probability Scale (e.g., 1–5)
1 = Rare, 2 = Unlikely, 3 = Possible, 4 = Likely, 5 = Almost Certain
o Impact Scale (e.g., 1–5)
1 = Negligible, 2 = Minor, 3 = Moderate, 4 = Major, 5 = Catastrophic
3. Assign scores: Based on expert judgment or data.
4. Plot risks on the matrix.
5. Prioritize risks: High-probability/high-impact risks are prioritized for mitigation.
2.4 Advantages of the Probability–Impact Matrix
Simplifies complex risk information into a clear visual format.
Encourages strategic discussion and prioritization.
Links directly to resource allocation and contingency planning.
Can be updated periodically as risks evolve.
6
7
8
1
/
8
100%
