10.- ANALYSING RISK IN YOUR ORGANIZATION.
A clear analysis of the likelihood and severity of each risk you have identified will help you decide on priorities for treatments. Before you can do anything about the risks that face your organization the risks must be analysed to determine their potential to affect the achievement of objectives and goals of your company. This will give you a basis for determining which risks are the most serious, which are treatable and which can be accepted, and that will give you a good framework to assess your risk management priorities. Setting clear priorities will allow you to tackle risk in a logical order. The analysis should also be open to review and the results circulated to members as part of the communication and consultation process.
Analysis can be based in two simple criteria:
- Likelihood: how likely is it the risk will occur?.
- Severity (or Consequence): how bad is it if the risk is realised?.
- Qualitative analysis is the easiest, and most commonly used, method of analysing risks, especially for smaller organizations. It applies a descriptive word to the level of risk and is based on knowledge, experience and anecdotal evidence. This method does have limitations, including a risk of subjectivity, but is useful in indicating which risks may be disregarded, those that require further attention, and management priorities.
- Quantitative analysis applies a numerical value to the level of risk. This method usually depends on reliable data and is best used when specific figures are available. This method can be extremely accurate but is best suited to large organizations where there is enough evidence to provide useful analysis.
“Events identified as potentially impeding the achievement of objectives are deemed to be risks and should be evaluated based on the likelihood of occurrence and the significance of their impact on the objectives”.
Remember that the likelihood and severity of particular risks will be different for different organizations. The idea is not to detail all the potential losses that may result if a risk does occur, but simply to assign a level of estimated risk that will provide a basis for managing those risks.
”The success of the risk assessment process depends on the extent to which it identifies root cause issues”.
Part of the difficulty in risk management is that measurement of both of the quantities in which risk assessment is concerned – severity and likelihood of occurrence – can be very difficult to measure. The chance of error in measuring these two concepts is high. Risk with large severity and a low probability of occurrence, is often treated differently from one with low severity and a high likelihood of occurrence. In theory, both are of near equal priority, but in practice it can be very difficult to manage when faced with the scarcity of resources, especially time, in which to conduct the risk management process.