|
Risk Assessments
A risk is something that could stop
you achieving your objectives. Having assessed what you can
do, you then plan for it so as to reduce or eliminate its
impact. Where this cannot be achieved, the item in question
should be presented to the next level up.
The principles of corporate governance
apply to both public and private organisations. It is vitally
important therefore to implement risk management processes.
This makes good business sense. Better management of resources
brings benefits for employees and customers.
Risk management is about gathering
information to make better decisions, making it more likely
that objectives will be achieved. It's about being aware of
the risks involved - to think about the consequences, outcomes
or impact.
Assessment Questions
It is important that all leaders
and managers consider risk when making decisions. Here are
a few examples of the questions you should ask:
What is the risk in this situation ?
What could
happen to the desired outcomes ?
How likely
is the occurrence ?
Do the
benefits outweigh the risk ?
What can
we do to reduce the risk ?
Has anything
happened to alter the risk ?
What plans
could be put in place in case the 'event' occurs ?
Can we
transfer the risk to someone else through insurance or contracting
out ?
Organisations need to consider the
arrangements they put in place to create an effective control
environment. Accountability for risk management must operate
at all levels and follow a common and clearly identified risk
assessment process. These control procedures will help to
mitigate risks if monitored at both a strategic and an operational
level, and then communicated effectively.
Risk
Management Process
| |
Establish the context
(Is it strategic or
operational ?)
|
|
| |
Identify the risks
(What could happen
and how ?)
|
|
| |
Analyse the risks
x(How
critical is the risk ?)
|
|
| |
Determine Controls
(Likelihood and possible
impact ?)
|
|
| |
Evaluate the risks
(How do they compare
against criteria and set priorities ?)
|
|
| |
Accept the risks
xx(Whatfacts
have to be faced ?)
|
|
| |
Treat the risks
(Can you agree, prepare
and implement plans)
|
|
There are many approaches to identifying
risk. One popular approach is brainstorming because it can
be used at all levels acros an organisation. Start with an
analysis of strengths, weaknesses, opportunities and threats
(SWOT) of the successful completeion of strategic and operational
plans. The results should form part of the Buisness Plan.
Categorising the Risk
In order to help the thought
process and give some structure to your brainstorm, you can
consider risks under the following headings.
|
|
|
Professional
|
|
|
|
|
Social
|
Customer
|
Reputational
|
|
|
|
Environmental
|
Competitive
|
Citizen
|
|
|
Technological
|
Legislative
|
Contractual
|
Partnership
|
Political
|
|
Managerial
|
Physical
|
Financial
|
Legal
|
Economic
|
A facilitator can interview each member
of the group that has been brought together to assess the
risks and go through all the above headings with them. The
facilitator can then bring together all the risks which then
form the basis of the brainstorming session. The group then
identify the top 10 - 20 which have the highest financial
or reputational risk.
Summary of Key Risks
You can now start to put together
a working document which can be reviewed on a regular basis
and used as a tool to support decision-making at a senior
level. Here is a suggested format.
|
No.
xx
|
Risk or
Hazard |
Inherent Risk
Impact/Likelihood |
Controls
xxx |
Residual Risk
Impact/Likelihood
|
Target Risk
Impact/Likelihood |
|
1.
xx
xx
|
Failure of key process
|
Critical/
Significant
xxxx |
Satisfactory.
Monitoring
in placexx |
Critial/Low
xxxx
xxxx |
Critical/Low
xxx
xxx |
| 2. |
|
|
|
|
|
| 3. |
|
|
|
|
|
Use the descriptions of impact and
likelihood categories below to enter them into the summary
above and score the risk on the matrix below.
Impact and Likelihood Matrix
Plot each risk assessment on
the matrix by number. The grey areas are unacceptable risks
and require immediate action to improve control. Acceptable
risks need close monitoring and cost effective control improvements
found.
| Very
High |
|
|
|
|
| High |
|
1 |
2 |
|
| Significant |
|
9, 12 |
|
10 |
| Low |
3 |
5, 6 |
4 |
|
| Very Low |
|
|
11 |
8 |
| Non-existent |
|
|
|
7 |
|
Negligible
|
Marginal
|
Critical
|
Catastorphic
|
Measures of impact and likelihood
Below are descriptions of the
impact and likelihood categories you can use.
LIKELIHOOD MEASURES
| Description |
Example |
| Very High |
Is expected
to occur in most circumstances |
| High |
Will probably
occur in most circumstances |
| Significant |
Might occur
in most circumstances |
| Low |
Could occur
in most circumstances |
| Very Low |
May occur
only in exceptional circustances |
| Non-existent |
Is
never likely to occur |
IMPACT MEASURES
| Description |
Example |
| Catastrophic |
Medium term
loss of service capability, adverse publicity or breaches
of the law punishable by imprisonment. |
| Critical |
Short term
loss of service, litigation expected and breaches of the
law punishable by fines only. |
| Marginal |
Needs careful
public relations with potential for complaint with breaches
of regulations or standards. |
| Negigible |
No significant
disruption to service with little adverse publicity and
only breaches of local procedures. |
Produce an Action Plan
The next step is to produce an
Action Plan that will mitigate the risks identified. Having
identified the controls in place they need to be entered in
the Key Risk Summary above. The risk now needs to be reassessed
in the light of new circumstances. This is the residual risk
which should also be entered in the summary above.
You now need to to identify if you
are accepting the risk and do nothing, managing and monitoring
it, or changing the way tasks are undertaken to reduce the
risk, eliminate it completely or transfer it to someone else,
as in the case of insurance or contractual agreements.
|
Return
to top