The Value of Risk Assessments
This article is the eleventh of fourteen parts to our risk management series. The series will be taking a look at the risk management guidelines under the ISO 31000 Standard to help you better understand them and how they relate to your own risk management activities. In doing so, we’ll be walking through the core aspects of the Standard and giving you practical guidance on how to implement it.
In previous articles we’ve looked at the core elements of the risk management framework, as well as the role of leadership and commitment, integration, design, implementation, evaluation and improvement more specifically. We’ve also briefly looked at the risk management process in a general sense, and we’ve also focused on the importance of communication and consultation, as well as how to set your scope, context and criteria. In this article, we’ll be looking at risk assessments and the role of risk identification, analysis and evaluation in such assessments.
Introduction
In its most basic form, a risk assessment is the process of identifying, analysing and evaluating a risk. Conducting these activities is crucial for organisations to be aware of what risk factors can and may impact them, as well as how to deal with those impacts when they do occur. You’re likely already familiar with the notion of risk assessments; most organisations have risk assessments which, for example, typically relate to fires, manual handling, and the storage of chemicals. Now, while you may be legally required to complete some of these risk assessments, there are also a number of risk assessments which you can undertake at your own volition. Doing so has the benefit of ensuring that risks are properly identified, that you have effective means and mechanisms in place to deal with those identified risks, to determine whether any additional resources are required to address those risks over time, and to prioritise the allocation of resources within your organisation. When you’re conducting risk assessments, you need to do so in a manner which is systematic, collaborative and iterative. This is as the knowledge of stakeholders can help strengthen your risk assessment, especially where that knowledge is leveraged over time as the risk, and people’s experience, changes. All of these aspects together can help you to create, conduct and manage a strong and holistic risk assessment.
Identifying risks
As part of identifying risks within your organisation, you are required to find, recognise and describe risks that may help or hinder it from achieving its goals and objectives. You can achieve this through a simple brainstorming session with your team, as well as through looking at benchmarking your organisation against other market players in your industry and the risks that they actively seek to tackle. When completing exercises such as these you should not only give thought to the risks that are within your control, but also the risks that are beyond your control. You should also consider the different outcomes from those risks to have the most holistic risk identification process as possible.
To help inspire your brainstorming activities, the Standard provides a list of where to look and what to look for when it comes to identifying risks. This includes consideration of (1) tangible and intangible sources of risk; (2) causes and events; (3) threats and opportunities; (4) your organisation’s vulnerabilities and capabilities; (5) changes in your organisation’s internal and external environment; (6) any indicators of emerging risks; (7) the nature and value of assets and resources related to the risk; (8) the consequence of risks and their impact on your organisation’s objectives; (9) reliability of information and limitation of knowledge; (10) time; and (11) any biases, assumptions, or belief of any persons involved in the identification process.
Analysing risks
Analysing risks allows you to properly comprehend the risk that you’re dealing with. This involves careful consideration of the risk’s characteristics in a general sense, the level of risk it poses, its likelihood, its uncertainties, and its source. From here, you’ll want to conduct a detailed analysis on the events which the risk can trigger, and the consequences of that risk. You may choose to determine such consequences like magnitude and volatility through modelling different types of scenarios with different outcomes, where those scenarios and outcomes can be altered by the intervention of organisational controls to determine the most effective and appropriate option to deal with that risk. The analysis of these factors in the context of your identified risk will enable you to adequately prepare for their occurrence, such as through the allocation, or reallocation of organisational resources to do so. One of the simplest ways to effectively analyse a risk is to go through each of the points identified in this paragraph and use them as a checklist against the risks that you previously identified.
The beauty of analysing your identified risks is that it can be as surface level or in depth as you choose. How complex your analysis is depends on three key factors, firstly being the purpose of the analysis, secondly being the credibility of information available to you to analyse, and thirdly the resources available to you to do so. Beyond these three factors, the complexity of your risk analysis may also be swayed by the divergent opinions and biases of stakeholders regarding the risk, especially where that risk is difficult to quantify. It is natural to say that when faced with difficult risks, such as those which are difficult to quantify, more in depth and complex analysis is required in order to gain a deeper understanding and insight into the risk itself. Once you are satisfied with your analysis of the identified risk or risks, you can then translate your analysis into the evaluation phase of your risk assessment.
Evaluating risks
The role of risk evaluation is to help support you to make informed decisions about the risk or risks that your organisation faces. Just how informed your evaluation is will depend on the depth of analysis you took in the risk analysis phase, so while analysis in that phase is at your discretion, it shouldn’t be done poorly otherwise you may disadvantage your evaluation phase. Now, you will recall in our previous article that we touched on risk criteria. You will need to use that risk criteria to evaluate your risk, and from that evaluation you will be able to determine any future action or inaction concerning the risk. For example, this may trigger the recognition that nothing further needs to be done, that you may need to consider risk treatment options, that you need to undertake further analysis to better understand the risk, that your existing controls are effective to manage and mitigate the risk, or even that your organisation’s risk objectives need to be reconsidered. Whatever the outcome of your evaluation may be, you need to bear in mind the broader context that the risk itself is operating within, as well as the consequences to stakeholders internal and external to your organisation.
Conclusion
All in all, risk assessments are a critical tool for enabling you to identify, analyse and then evaluate the internal and external risks faced by your organisation. While critical, risk assessments are also largely flexible and can therefore be tailored to the needs and demands of your organisation, with the overall goal to protect it from any adverse risk outcomes.
If you have any stories – good or bad – about how you’ve approached the identification, analysis and evaluation of risks within your organisation, I would love to hear them.
If you’re looking to improve your risk management process and would like some guidance or a conversation to help you on your journey, please contact me. I’m more than happy to guide you.