In the last post, we reviewed the first step, Identify Risks, in the three phase Risk Assessment process. Now we'll have a look at what's involved in step two, Analyse Risks.
So, you have a list of risks you've identified that will normally consist of several threats to achieving your business objectives and hopefully, some opportunities to maximise the organisation's results. So what now?
Firstly, you need to analyse the risks. Why?
Because not all risks are created equal!
Some threats are large and imminent and therefore require immediate and decisive action. Some opportunities are small and unlikely so probably don't warrant precious resources being focussed on them.
So this critical step helps sort minor or negligible risks from the major / critical / catastrophic ones.
In doing so, the risk analysis phase endeavours to understand the nature, sources and causes of the risks identified. Importantly, it also studies the impacts or consequences should the risk eventuate and the likelihood or probability of it occurring.
The final step in the risk analysis process is to examine any controls currently in place to mitigate the risk. This will include a view on the controls effectiveness.
The effort required in this step will depend on the type of risks, comprehensiveness of information available and the resources dedicated to conducting the analysis.
There are a couple of key tools used to help to help rank the risks – a consequence table and a likelihood table (examples below). Naturally, the consequence and likelihood tables for your organisation will be customised to its risk environment and will be more comprehensive than these examples.
How do you rate the various risks? There should be multiple inputs in this process to ensure the widest possible range of data and people are consulted. Various methods used include:
Risk Workshops or brainstorming sessions
Subject Matter Expert (SME) input
Past audit report findings
Historical incident records (including those affecting competitors or similar industries)
Industry or external experts
Once you collate all of the inputs from the various analysis exercises you'll need to plot the risks onto a 'heat map' or risk matrix. This helps visualise the risks in terms of their consequence and likelihood but also in relation to each other - that is, you can start to see which are the greater threats or opportunities.
As a result of your analysis efforts, you'll produce the first stage of what will ultimately become your risk register (example below).
The risk analysis step takes some effort but the more time and energy spent on this the better the quality of the output and the greater the level of assurance that the businesses risks are now prioritised according to the potential opportunity or threat.
In the next post we'll look at the Risk Evaluation phase - the concluding step to the overall Risk Assessment element of the Risk Management Process.