6.- WHAT IS THE PROCEDURE FOR PERFORMING A RISK
ASSESSMENT?
How
Do You Combine Risk Assessment with Risk Management?: the
combined risk assessment and risk management process can be described
as a seven step process. The first three steps are associated with
risk assessment and the last four
with risk management.
6.1.- Formulate the risks in a broad context.
Do this by answering questions like: what activities are we talking about?, what are the risks?, who must manage the risks?, who are the stakeholders?, Also, establish relationships among the risks and rely on stakeholders for risks identification and characterization.
In order to understand and treat risks, you need to be clear about the internal and external context in which your organization is operating. Each company operates within its own particular context and will therefore have its own particular risks. While some risks may apply to almost everyone, some will be specific to your organization. In undertaking a risk assessment you need to take into account your own organization's specific objectives and capabilities, as well as external factors, such as customers, suppliers, market, competitors, as well as economic, social, technological, and industrial events.
So how do you go about establishing a context for risk management?. Start by allocating the task to one person (ideally someone with a particularly good grasp of what your organization is about, as well as some background knowledge about risk management), or set up a risk committee.
Questions you need to ask as part of the process of establishing a risk management context for your organization can be broken down into two areas: the organization context and the strategic context.
The organizational context involves looking at your organization's aims, activities, structure, membership and methods of operation:
The Strategic Context involves looking at the environment in which your group operates:
6.2.- Risk management planning.
This covers roles and responsibilities with clear communication of what is expected, the budget for risk activities, timing, thresholds, reporting formats, and scoring and interpretation information.
6.3.- Risk identification.
This step includes determining and documenting where the organization might be at risk. Do this by answering the question: what could go wrong?. Risk identification aims to determine the qualitative nature of the potential adverse consequences of the risks, the strength of their evidences and the conditions that lead to exposure to the risks.
6.4.- Perform the risk analysis.
Evaluate the risk in order to determine its effects, the likelihood of the risk occurring, and any uncertainties in the estimate.
“What is the likelihood of the risk occurring and what is the consequence of that outcome?”.
There are two types of analysis: qualitative and quantitative.
You have to analyze and evaluate all the risks from a double perspective: achievement of the targets and goals of your organization and economic impact.
6.5.- Risk response planning.
This phase involves developing potential solutions based on the root causes identified and how they could be implemented in ways that are feasible, cost effective, and strategically acceptable. The assumption is that solutions to make an impact on the root causes will subsequently have an impact on the organization goals and targets. Operating tolerances are documented, and pilot studies are validated for their impact. Examining options and deciding on actions to enhance opportunities and reduce risks are a part of this activity. Responses are validated for appropriateness and cost effectiveness and are agreed upon by all parties involved in the response plans. Common strategies for responses include:
6.6.- Risk monitoring and control.
The risk committee keeps track of identified risks by looking out for warning signals. Corrective actions are evaluated according to their effectiveness or appropriateness and the risk response plans are reviewed and evaluated. Risk reassessments are on the agenda of team meetings as apart of risk control. Documents are updated for the actual outcomes of organizational risks as lessons learned.
6.7.- Risk management communication.
In order to get an effective risk management performance a proper information flowing through the convenient channels is needed, as well as an effective treatment of current and historical data.
6.1.- Formulate the risks in a broad context.
Do this by answering questions like: what activities are we talking about?, what are the risks?, who must manage the risks?, who are the stakeholders?, Also, establish relationships among the risks and rely on stakeholders for risks identification and characterization.
In order to understand and treat risks, you need to be clear about the internal and external context in which your organization is operating. Each company operates within its own particular context and will therefore have its own particular risks. While some risks may apply to almost everyone, some will be specific to your organization. In undertaking a risk assessment you need to take into account your own organization's specific objectives and capabilities, as well as external factors, such as customers, suppliers, market, competitors, as well as economic, social, technological, and industrial events.
So how do you go about establishing a context for risk management?. Start by allocating the task to one person (ideally someone with a particularly good grasp of what your organization is about, as well as some background knowledge about risk management), or set up a risk committee.
Questions you need to ask as part of the process of establishing a risk management context for your organization can be broken down into two areas: the organization context and the strategic context.
The organizational context involves looking at your organization's aims, activities, structure, membership and methods of operation:
-
What are the aims and objectives
of your organization?.
-
What is your organization's core
activities?.
-
Who is involved internally with
your organization?.
-
What facilities do you have and /
or use?.
The Strategic Context involves looking at the environment in which your group operates:
- What external relationships does
your organization have and how important are these?.
-
What laws, regulations, rules or
standards apply to your organization?.
-
External trends (in
defining your strategic context you should also consider external
trends).
6.2.- Risk management planning.
This covers roles and responsibilities with clear communication of what is expected, the budget for risk activities, timing, thresholds, reporting formats, and scoring and interpretation information.
6.3.- Risk identification.
This step includes determining and documenting where the organization might be at risk. Do this by answering the question: what could go wrong?. Risk identification aims to determine the qualitative nature of the potential adverse consequences of the risks, the strength of their evidences and the conditions that lead to exposure to the risks.
6.4.- Perform the risk analysis.
Evaluate the risk in order to determine its effects, the likelihood of the risk occurring, and any uncertainties in the estimate.
“What is the likelihood of the risk occurring and what is the consequence of that outcome?”.
There are two types of analysis: qualitative and quantitative.
- Qualitative risk analysis. In analyzing risks, practitioners look closely at two aspects: probability and impact (sometimes referred to as effect or consequence). Risk probability is the likelihood of occurrence of the risk event; the scales can be numeric or descriptive.
- Quantitative risk analysis includes distributions, simulations and decision - tree analysis. The key element of analysis is to numerically quantify the identified risk.
You have to analyze and evaluate all the risks from a double perspective: achievement of the targets and goals of your organization and economic impact.
6.5.- Risk response planning.
This phase involves developing potential solutions based on the root causes identified and how they could be implemented in ways that are feasible, cost effective, and strategically acceptable. The assumption is that solutions to make an impact on the root causes will subsequently have an impact on the organization goals and targets. Operating tolerances are documented, and pilot studies are validated for their impact. Examining options and deciding on actions to enhance opportunities and reduce risks are a part of this activity. Responses are validated for appropriateness and cost effectiveness and are agreed upon by all parties involved in the response plans. Common strategies for responses include:
- Avoid – Plan to remove the risks or the threats posed by the risks.
- Transfer – Shift the negative impact of a threat, along with ownership of the response, to a third party. This action does not eliminate the risk.
- Mitigate – Reduce the probability and / or impact of an adverse risk event to an acceptable threshold.
- Acceptance – Decide not to deal with a risk, or be unable to identify any other suitable response strategy.
6.6.- Risk monitoring and control.
The risk committee keeps track of identified risks by looking out for warning signals. Corrective actions are evaluated according to their effectiveness or appropriateness and the risk response plans are reviewed and evaluated. Risk reassessments are on the agenda of team meetings as apart of risk control. Documents are updated for the actual outcomes of organizational risks as lessons learned.
6.7.- Risk management communication.
In order to get an effective risk management performance a proper information flowing through the convenient channels is needed, as well as an effective treatment of current and historical data.