Identifying And Documenting Potential Risk Factors

Identifying and documenting potential risk factors for critical processes

Risk evaluation allows you to determine the significance of risks to the business and decide to accept the specific risk or take action to prevent or minimise it.

To evaluate risks, it is worthwhile ranking these risks once you have identified them. This can be done by considering the consequence and probability of each risk. Many businesses find that assessing consequence and probability as high, medium or low is adequate for their needs. These can then be compared with your business plan - to determine which risks may affect your objectives - and evaluated in the light of legal requirements, costs and investor concerns. In some cases, the cost of mitigating a potential risk may be so high that doing nothing makes more business sense.

There are some tools you can use to help evaluate risks. You can plot on a risk map the significance and likelihood of the risk occurring. Each risk is rated on a scale of one to ten. If a risk is rated ten this means it is of major importance to the company. One is the least significant. The map allows you to visualise risks in relation to each other, gauge their extent and plan what type of controls should be implemented to mitigate the risks.

Prioritising risks, however you do this, allows you to direct time and money toward the most important risks. You can put systems and controls in place to deal with the consequences of an event. This could involve defining a decision process and escalation procedures that your company would follow if an event occurred.

Risk management involves putting processes, methods and tools in place to deal with the consequences of events you have identified as significant threats for your business. This could be something as simple as setting aside financial reserves to ease cash flow problems if they arise or ensuring effective computer backup and IT support procedures for dealing with a systems failure.

Programmes which deal with threats identified during risk assessment are often referred to as business continuity plans. These set out what you should do if a certain event happens, for example, if a fire destroys your office. You can't avoid all risk, but business continuity plans can minimise the disruption to your business.

Risk assessments will change as your business grows or as a result of internal or external changes. This means that the processes you have put in place to manage your business risks should be regularly reviewed. Such reviews will identify improvements to the processes and equally they can indicate when a process is no longer necessary.

Step 1 - Analysing How Likely It Is That A “Risk Scenario” Will Occur

Risk analysis is the systematic study of uncertainties and risks we encounter in business, engineering, public policy, and many other areas. Risk analysts seek to identify the risks faced by an institution or business unit, understand how and when they arise, and estimate the impact (financial or otherwise) of adverse outcomes. Risk managers start with risk analysis, then seek to take actions that will mitigate or hedge these risks.

One way to learn how to deal with uncertainty is to perform an experiment. But often, it is too dangerous or expensive to perform an experiment in the "real world", so we resort to a model, such as a scale model of an airplane in a wind tunnel. With a model, we can simulate what would happen in the real world, and perform many experiments for example, subjecting our model airplane to various air currents and forces, and learn how it behaves. We can introduce uncertainty into our experiments using devices such as a coin toss, dice roll, or roulette wheel. A single experiment that involves a coin toss may not tell us very much, but if we perform a simulation that consists of many experiments or trials, and collect statistics about the results, we can learn quite a lot.

Impact assessment is the process of identifying the future consequences of a current or proposed action. It is used to ensure that projects, programmes and policies are economically viable, socially equitable and environmentally sustainable.

Care should be taken when assessing the risks your business may face. You do not want to spend time and money avoiding or reducing those risks that pose little or no threat to your business.

Quantitative risk analysis is the practice of creating a mathematical model of a project or process that explicitly includes uncertain parameters that we cannot control, and also decision variables or parameters that we can control. A quantitative risk model calculates the impact of the uncertain parameters and the decisions we make on outcomes that we care about - such as profit and loss, investment returns, environmental consequences, and the like. Such a model can help business decision makers and public policy makers understand the impact of uncertainty and the consequences of different decisions.

A quantitative assessment of your risks would be the numerical product of these two factors. For example, if a risk has a high probability and a high cost/impact, then it will get a high-risk assessment.

Unfortunately, quantitative measures of risk like this are only meaningful when you have good data. You may not have the necessary historical data to work out probability, and cost estimates on IT-related risks change so quickly that accurate financial data is rarely available.

Therefore, a more practical approach is to use a qualitative assessment. In this case, you use your judgement to decide whether the probability of occurrence is high, medium or low. You do this similarly for cost/impact. You might then take action on risks that are high probability/medium cost, medium/high or high/high, and leave the rest.

Click here to view a video about quantitative and qualitative risk assessment.

Step 2 - Rating the Impact Of Each Scenario

The impact of the risk event is assessed on a scale of 0 to 5, where 0 and 5 represent the minimum and maximum possible impact respectively of an occurrence of a risk (usually in terms of financial losses).

The probability of occurrence is likewise assessed on a scale from 0 to 5, where 0 represents a zero probability of the risk event actually occurring while 5 represents a 100% probability of occurrence.

The Composite Index can take values ranging from 0 through 25, and this range is usually arbitrarily divided into three sub-ranges. The overall risk assessment is then Low, Medium or High, depending on the sub-range containing the calculated value of the Composite Index. For instance, the three sub-ranges could be defined as 0 to 8, 9 to 16 and 17 to 25.

Note that the probability of risk occurrence is difficult to estimate since the past data on frequencies are not readily available, as mentioned above. Likewise, the impact of the risk is not easy to estimate since it is often difficult to estimate the potential financial loss in the event of risk occurrence.

Furthermore, both the above factors can change in magnitude depending on the adequacy of risk avoidance and prevention measures taken and due to changes in the external business environment. Hence it is absolutely necessary to periodically re-assess risks and intensify/relax mitigation measures as necessary.

Use the same principles for probability. For example, you might classify as 'high probability' something that you expect to happen several times a year. You might classify as 'low probability' something that you expect to happen very infrequently.

Step 3 - Determining Priorities In The Event Of The Risk Materialising

After identifying and analysing the risks, you can evaluate.

After identifying and analysing the risks, you can evaluate.

You need to describe or to quantify exactly what the ‘Likelihood’ and ‘Consequence’ terms means to you. This helps in ensuring a consistent approach in future risk assessment and review and monitoring. It promotes a common understanding within the business. After establishing ‘Likelihood’ and ‘Consequence’ you can use a table like this to set a level of risk.

You must define what these risk levels mean to you. Low and very low-level risks can normally be accepted, subject to on-going monitoring. All other risks are included in the management plan. The plan catalogues the risks, the level of risk, and describes a treatment. The treatment is the action proposed, (and perhaps the resources allocated). A common method of treating risks is to develop risk profiling and targeting systems.

Risk Profiles are developed as a means of putting risk management into practice at the operational level.

Click here to view a explanation of the risk matrix.