The first step in the risk management process is to establish the context, as this creates the criteria against which you will assess the risks. The scope should be laid out within your organization’s objectives. These objectives need to be set out clearly, as risks are the uncertainties that can affect achieving your business objectives.
Selecting your business objectives should be done by evaluating both internal and external factors that may impact your organization. Reviewing these at the beginning of your risk assessment planning helps you identify processes that may be subject to increased risks. These are the processes that will extract the most value from risk assessment.
Comprehensive identification of major risks is crucial for effective risk management. If you fail to identify a potential risk, it will be excluded from any further analysis and giving it an inadequate amount of attention could be disastrous. There are a few steps to effectively identifying risks:
1. Identify what could happen, and where and when it could occur
Based on the last step, establishing context, you need to come up with a list of potential risks that could interfere with achieving the business objectives you chose. Use qualitative terms to describe the risk even if it were to occur. Some phrases to start with are “failure to…” or “loss of…” but do not include the consequence of the risk, simply identify it. Ask yourself some questions to help you identity risk, such as:
- How could we fail?
- Where are we vulnerable?
- What could go wrong?
- How could someone disrupt our operations?
- How do we know whether we are achieving our objectives?
- What information do we rely on most?
- What do we spend the most money on?
- What activities are most complex?
2. Identify why and how it could happen
Now you need to consider the possible causes and consequences of each risk.
Identify potential triggers that could cause the risk to occur – a single identified risk might have just one cause, or it may have multiple. Different risks may also have the same single cause.
Now, identify the possible consequences of each risk event – again, a single identified risk might have just one consequence, or it may have multiple. Different risks may also have the same single consequence.
There are a few different techniques you can use for this step. You may opt to have ongoing risk identification, where anyone can identify risks, or you may want to consider desk-based risk assessment. The latter is a good option for fairly straightforward processes, and involves a discussion and assessment of risks with the people who are involved in the day-to-day operation of the selected process.
Risk analysis and assessment
Risks are basically uncertainties about outcomes. You need to consider how likely the risk event is to happen, and the possible extent of the consequences. Based on risk analysis, you assign a risk rating. The analysis usually involves:
- Analyzing inherent risks (what’s the likelihood and consequence of the risk event if it occurred in an uncontrolled environment?)
- Identifying and evaluating controls (what controls are in place to deal with the risk and how effective are they?)
- Analyzing residual risks (what’s the likelihood and consequence of the risk event if it occurred in the current environment?)
Risk assessment provides insight into key business risks and how they link to your organization’s objectives and processes. You need to develop the criteria by which you’ll assess risks – this is subjective, so it’s productive to have various stakeholders challenge each other. Let’s examine these steps in more detail:
Analyzing inherent risks
You conduct this analysis before looking at the controls that are already in place; this helps you understand the role of controls in reducing risk. For each risk, ask:
- How likely is the risk to occur if no controls were in place?
- What is the extent of the probable consequence if the risk were to occur with no controls in place?
Identifying and evaluating controls
Controls are any action you have in place that will reduce the likelihood or consequences caused by a risk event occurring. For each risk, ask:
- What is the existing control in place? This could be the process, policy or action that can be used to change the likelihood or consequences of the risk event. If there’s nothing in place, you have a control gap.
- How effective is the control? This includes its design and its operation.
Analyzing residual risks
This step is assessing the risk after controls are taken into consideration. For each risk, ask:
- How likely is the risk to occur within the current environment? This should be done after reviewing how effective the controls are.
- What is the most likely consequence of the risk event if it occurred in the current environment? This should assume that the controls are operating at the strength that is expected.
Based on these factors, you should come up with one overall risk rating for residual risks.