9.- RISK IDENTIFICATION.
It is important to begin by understanding the relevant business objectives in scope for the risk assessment. These will provide a basis for subsequently identifying potential risks that could affect the achievement of objectives, and ensure the resulting risk assessment and management plan is relevant to the critical objectives of the organization.
Based on the organization’s objectives, the designated owners of the risk assessment should develop a preliminary inventory of events that could impact the achievement of the organization’s objectives. “Events” refers to prior and potential incidents occurring within or outside the organization that can have an effect, either positive or negative, upon the achievement of the organization’s stated objectives or the implementation of its strategy and goals.
A review of the external environment helps identify outside events that may have impacted the organization’s purposes and values in the past or may impact it in the future. Drivers to consider include economic, industrial, technological and market events, which can be identified through external sources such as media articles, business information databases, emerging trends in automation and new technologies, marketing reports, customer surveys, etc. A review of the organization’s internal processes, people, technology, and data helps identify further events.
From a deeper point of view, identifying risks requires a broad approach: in fact, the broader, the better. This is an ideal opportunity to get everyone in your organization involved in the risk management process and, believe it or not, it is actually possible to have a bit of fun by starting with a giant brainstorming session to identify any and all risks that could confront your organization.
Brainstorming is a tool that consist on getting everybody together in one room and have someone up the front with a pen and a whiteboard. The scribe's job is simply to write down any risks that anyone can think of. Depending on the size of your organization, you may want to break up into smaller groups to brainstorm ideas, then present them to the group (you can assign different groups to different areas of potential risk, for example). It's important to document all the potential risks that you identify. A good way of doing this is to compile a risk register. The aim of the register is to proactively begin to raise the profile of what risks exist within your group. Some useful questions to ask when identifying risk include:
It is important to begin by understanding the relevant business objectives in scope for the risk assessment. These will provide a basis for subsequently identifying potential risks that could affect the achievement of objectives, and ensure the resulting risk assessment and management plan is relevant to the critical objectives of the organization.
Based on the organization’s objectives, the designated owners of the risk assessment should develop a preliminary inventory of events that could impact the achievement of the organization’s objectives. “Events” refers to prior and potential incidents occurring within or outside the organization that can have an effect, either positive or negative, upon the achievement of the organization’s stated objectives or the implementation of its strategy and goals.
A review of the external environment helps identify outside events that may have impacted the organization’s purposes and values in the past or may impact it in the future. Drivers to consider include economic, industrial, technological and market events, which can be identified through external sources such as media articles, business information databases, emerging trends in automation and new technologies, marketing reports, customer surveys, etc. A review of the organization’s internal processes, people, technology, and data helps identify further events.
From a deeper point of view, identifying risks requires a broad approach: in fact, the broader, the better. This is an ideal opportunity to get everyone in your organization involved in the risk management process and, believe it or not, it is actually possible to have a bit of fun by starting with a giant brainstorming session to identify any and all risks that could confront your organization.
Brainstorming is a tool that consist on getting everybody together in one room and have someone up the front with a pen and a whiteboard. The scribe's job is simply to write down any risks that anyone can think of. Depending on the size of your organization, you may want to break up into smaller groups to brainstorm ideas, then present them to the group (you can assign different groups to different areas of potential risk, for example). It's important to document all the potential risks that you identify. A good way of doing this is to compile a risk register. The aim of the register is to proactively begin to raise the profile of what risks exist within your group. Some useful questions to ask when identifying risk include:
- What can happen?. When, where, why and how might this occur?.
- Who and what might be involved?.
- What are the potential effects and who will be affected?. What are we doing about this now?.
“All risks, regardless of any immediate potential impact, should be recorded”.
All the events identified on the brainstorming should be inventoried and translated into opportunities (positive events) or risks (negative events). Opportunities should flow into management’s strategy and objective setting processes, whereas threats should be further categorized and assessed.
It is important to define risks in terms that are useful in figuring out how to treat that risk. A risk usually comprises three parts:
The main output of the risk identification process is the list of identified risks to begin creating the risk register. The risk register is:
There are many tools and techniques for Risk identification:
It is important to define risks in terms that are useful in figuring out how to treat that risk. A risk usually comprises three parts:
- A source.
- Something / someone that is at risk.
- An effect.
The main output of the risk identification process is the list of identified risks to begin creating the risk register. The risk register is:
- A document that contains the results of various risk management processes and that is often displayed in a table or spreadsheet format.
- A tool for documenting potential risk events and related information.
There are many tools and techniques for Risk identification:
- Brainstorming. As I have mention previously, this well - known method is a group creativity technique by which efforts are made to find a conclusion for a specific problem by gathering a list of ideas spontaneously contributed by its members.
- Delphi technique. Here a facilitator distributes a questionnaire to experts, responses are summarized (anonymously) & re - circulated among the experts for comments. This technique is used to achieve a consensus of experts and helps to receive unbiased data, ensuring that no one person will have undue influence on the outcome.
- Root cause analysis. For identifying a problem, discovering the causes that led to it and developing preventive actions.
- Cause and effect diagrams. These are causal diagrams that show the different causes of a specific event to identify potential factors causing the overall effect.
- System or process flow charts. These diagrams represent an algorithm, workflow or process, showing the steps as boxes of various kinds, and their order by connecting them with arrows.
- Influence diagrams. Graphical representation of situations, showing the casual influences or relationships among variables and outcomes.
- Structured What If Technique (SWIFT) is a flexible, high - level risk identification technique that can be used on a stand - alone basis, or as part of a staged approach to make more efficient use of bottom - up methods like Failure mode and effects analysis (FMEA). SWIFT uses structured brainstorming with guide words and prompts to identify risks, with the aim of being quicker than more intensive methods for Risk Assessment.
- By breaking down the system into known subsystems using techniques such as event trees or fault trees. Fault Tree Analysis (FTA) is a Root Cause Analysis technique used to record and display, in a logical, tree - structured hierarchy, all the actions and conditions (or causal factors) that are necessary and sufficient for a given consequence to have occurred. Typically, FTA is used to investigate a single adverse event or consequence, which is usually shown as the top item in the tree. Factors that were immediate causes of this effect are then displayed below it, linked to the effect using branches. Note that the set of immediate causes must meet certain criteria for necessity, sufficiency, and existence. Once the immediate causes for the top item in the tree are shown, then the immediate causes for each of these factors can be added, and so on. Every cause added to the tree must meet the same requirements for necessity, sufficiency, and existence. Eventually, the structure begins to resemble a tree's root system. Chains of cause and effect flow upwards from the bottom of the tree, ultimately reaching the top level. In this way, a complete description can be built of the factors that led to the adverse consequence. Each new cause added to the tree should be evaluated as a potential endpoint. When can a cause be designated as an endpoint?: if the cause is removed or corrected, the adverse consequence does not occur. A Fault Tree Analysis will usually have many endpoints. The set of all endpoints is in fact a fundamental set of causes for the top consequence in the tree. This fundamental set includes endpoints that would be considered both beneficial or detrimental; every one of them had to exist, otherwise the consequence would have been different. Endpoints that require corrective action would typically be called root causes, or root and contributing causes if some scheme is being used to differentiate causes in terms of importance.
- SWOT analysis. This is a structured planning method used to evaluate the strengths, weaknesses, opportunities and threats involved in a project or in a business venture. A SWOT analysis can be carried out for a product, project, place, industry or particular situation. It involves specifying the objective of the business venture or project and identifying the internal and external factors that are favorable and unfavorable to achieve that objective.
- Expert judgment. Individuals who have experience with similar situations in the not too distant past may use their judgment through interviews or risk facilitation workshops.
- Yokoten (From One Place to Another). This tool is a process by which whatever is learned from one project is shared among other projects. This is where the Japanese term yokoten, which means taking from one place to another, gets prime attention. Yokoten emphasizes learning at an organizational level through sharing of the best practices from one project to other similar projects. In risk management practices, the identified risks and the corresponding abatement actions provide an immense learning opportunity among projects. Hence, achieving yokoten for risk management is essential for knowledge sharing among projects. In this case, owners of the completed projects need to identify the risks and abatement actions that could be applied to other similar projects and provide such inputs to build a generic risk database. A panel of technical experts should review the submitted generic risks and approve the items as appropriate. The panel of technical experts for risk management may be a virtual team comprised of a group of technical experts from various teams based on the fields (e.g., engineering, manufacturing, etc.). These approved generic risks will then be appended to the generic risk database. While starting a new project, the leader of the project would need to go through the generic risk database and identify those risks and abatement actions that are applicable to the new project for carrying out the risk management activities.
- Or by using a combination of all these methods.