In the last blog, we saw that the effort taken to establish the context of risk for the organisation is critical. We'll now start to explore the next phase in the risk management process which is actually three steps bundled under a broader heading called Risk Assessment. Those steps are:
It should be remembered that risks may be assessed by individual project or process, by department, division or even the organisation as a whole. In each case, you'll want to consider the appropriate tools and techniques for the situation.
The Risk Assessment component of the risk management process is designed to assist in understanding the impact or consequences of risks and the likelihood or probability of them occurring. With this understanding, their effect on the achievement of objectives, and therefore whether treatment is required, can be determined.
The International Standard ISO 31010 - Risk management - Risk Assessment techniques offers the following:
Risk assessment provides an understanding of risks, their causes, consequences and their probabilities. This provides input to decisions about:
whether an activity should be undertaken;
how to maximise opportunities;
whether risks need to be treated;
choosing between options with different risks;
prioritising treatment options;
the most appropriate selection of risk treatment strategies that will bring adverse risks to a tolerable level.
Risk assessment therefore is a powerful tool and organisations should get into the habit of performing them regularly and diligently.
A properly executed risk assessment process also considers the existing controls that are in place and their adequacy and effectiveness.
So let's consider the first step in the risk assessment process.
The purpose of this step is to understand what risks might affect the organisation (or department, division, process or project) in achieving its objectives.
As risks are identified they should be documented and the nature of any existing controls should also be recorded. For instance, with a safety related risk, reference should be made to the Hierarchy of Controls. Similar principles can be applied to most risks i.e. do they rely on human actions, physical or system controls etc.
The purpose of the identification exercise is to understand the cause and source of the risk and under what circumstances or in what situations may they occur. These could be risks that are one off and occur as a result of a specific event (e.g. a natural disaster) or they could be the outcome of deteriorating conditions (e.g. major equipment failure).
This is the stage where the risk assessor will initially consider materiality of the risks in the context of the organisation although deeper analysis of this occurs in the next step, risk analysis.
So how does one go about identifying risks? Well, there are a multitude of techniques that can be adopted for the purpose. There is no right or wrong tool - it really just has to meet the needs of the users and the organisation.
Complexity of business operations and related data may require a quite sophisticated risk identification technique. More straightforward processes may use a fairly basic tool. Whatever the choice, it needs to identify as many risks as possible.
As a result, many firms will use multiple tools in the risk identification process and will include people from as many different parts of the operation as possible to get a wide range of views and experiences. Some will engage external subject matter experts or consultants to help facilitate a deeper exploration of potential threats and opportunities.
Some of the more popular techniques and tools include brainstorming sessions (also known as risk workshops), interviews with key staff, historical incident analysis (including incidents affecting competitors or similar industries), scenario analysis and root cause analysis.
We'll examine some of the more common techniques in further detail in a later blog.
In the next post, we'll move onto the Risk Analysis and Risk Evaluation steps of the overall risk assessment process.