Risk identification, Analysis and Evaluation processes



In this risk-based world, an organization need to identify, analyse and evaluate risks that are likely to cause an organization fail in achieving its strategic objectives. this process enables an organization to suggest proper mitigation measures as well as allocation resources in mitigating the same. 


RISKS IDENTIFICATION PROCESS
Risk identification is the process of determining what, where, when, why, and how something could happen. The objective of risk identification is to generate a comprehensive list of risks based on those events and circumstances that might enhance, prevent, degrade or delay the achievement of the objectives.


The following are the steps in risk identification:
i.                 Establish and understand the context
  1.   To demonstrate that risks have been identified effectively, it is useful to step through the department, process, project or activity in a structured way using the key elements defined while establishing the context.
  2. Remember  that  risks  are  identified  based  on  the  objective  of  an organization,  area, department you are dealing with.
  3. Decide the level at which the risk identification exercise will be based upon (e.g. strategic level only, departmental, or operational). The lower it goes the more comprehensive and more expensive and involving it becomes.
  4. This can help provide confidence that the process of risk identification is complete and major issues have not been missed.

ii.      Gather information to identify a list of risks against objectives

  1.   The starting point for risk identification may be historical information about this or similar organizations and then discussions with a wide range of stakeholders about historical, current and evolving issues.
  2. The risk identification process should include all risks, whether or not they are under the control of the organization.
  1. In identifying risks, it is also important to consider the risks associated with not pursuing an opportunity. It is also important to differentiate between  absence of control and risk e.g. bank reconciliation may not be performed is an absence of control and not risk but “cash loss, fraudulent transactions may go undetected are risks.
  2. The  list  of  risks  is  then  used  to  guide  the  analysis,  evaluation,  treatment  and monitoring of key risks.

iii.     Apply risk identification tools and techniques

  1.   Apply a set of risk identification tools and techniques that are suited to its objectives and capabilities, and to the risk the organization faces.
  2.   The approach used will depend on the nature of the activities under review, types of risks, the organizational context, and the purpose of the risk management exercise.
  3.   You may either use a Survey or Team-Bases Brainstorming (e.g. workshops like; Control Risk Self-Assessment - CRSA) in risk identification.
  4. Consider the difficulties in distributing and collecting the survey instrument (e.g. the response rate and need to explain things to each respondent).
  5. CRSA or Team Based Brainstorming e.g. using facilitated workshops is a preferred approach as it encourages commitment, considers different perspectives and incorporates differing experiences.
  6. It should be noted that people with appropriate knowledge should be involved in identifying risks.
  7. During the identification process the team may use checklists, judgments based on experience and records, brainstorming, systems analysis, and scenario analysis.

iv.      Questions to ask during risk identification process
  1.   For each element (e.g. strategic, departmental, unit, section, process or project) the risk identification process should be guided by the following questions:

Ø  What might happen that could:
  • Increase or decrease the effective achievement of objectives,
  • Make  the  achievement  of  the  objectives  more  or  less  efficient  (e.g. financial, people, time),
  • Cause stakeholders to take action that may influence the achievement,
  • Produce additional benefits.
  • Other considerations:
  • What would the effect on objectives be?
  • When, where, why, how are these risks (both positive and negative) likely to occurs
  • Who might be involved or impacted?
  • What controls currently exist to treat this risk (what is the weakness)?
  • What could cause the control not to have the desired effect on the risk?


v.      Categorize the identified risks

  1.   Use risk categorization model to group risks by allocating risk category according to where risk arises and hence needs to be addressed.  Use best judgment as to appropriate category. Allocate each risk to only one category.


vi.      Document the risks identified in a risk identification and analysis sheet”

  1. Each  risk  that  is  identified  should  be  documented  in  a  Risk  Identification  and Analysis Sheet.
  2. Each risk will have its own sheet, which will later be summarized into a Risk Register
  3. It  is  critically  important  at  the  stage  to  understand  the  cause-effect  relationship between a risk, its causes, and the potential consequences should the risk occur.
  4. The risk identification  and analysis sheet will  be used throughout  the remaining stages of the risk assessment process by filling the gaps as indicated in the sheet.





Risks analysis

Risk analysis as a systematic process to understand the nature of risk and determine the level of risk, It helps to guide the evaluation of risks by defining the key parameters of the risk and how these may impact on the achievement of organizational objectives.

In addition, the data and related information collected during the risk analysis process can be used to assist in guiding risk treatment decisions. The following steps should be taken in risk analysis:

i.      Identify and evaluate existing controls

  1. When assessing a risk, it is important to identify what controls (and weaknesses) are in place to mitigate the risk.
  2. Many controls are build-into existing business operations and systems.  
  3. Examples of controls may include the followings:


  • Controlled physical access (e.g. security codes, access cards, security personnel)
  • Employee code of conduct,
  • Specified training (e.g. software, hazardous substances)
  • Automated software controls (e.g. temperature control)
  • Policies and procedures
  • Insurance
  • Budget management
  • Formalized contracts and services level agreements


  		•
     
    Audits (internal and external), Etc.
d)  Controls should be considered on the basis of:
Ø  Design effectiveness is the control fit for purpose’ in theory i.e. is the control designed appropriately for the function for which it is intended
Ø  Operational effectiveness – does the control work as practically intended
e)  It is useful to involve staff with an understanding of the controls when rating them.
f)         Internal audit, business analysis and operational/financial management can all provide input into control identification and assessment.

ii.      Determine risk likelihood and impact
  1. The magnitude of the consequences of an event, should it occur, and the likelihood of the event and its associated consequences, should be assessed in the context of the effectiveness of the existing strategies and controls.
  2. Where no reliable or relevant past data is available, subjective estimates may be made which reflect an individuals or group’s degree of belief that a particular event or outcome will occur.
  3. The most relevant sources of information used in analyzing consequences and likelihood may include:

Ø  Past records,
Ø  Practical and relevant experience,
Ø  Relevant published literature,
Ø  Market research,
Ø  Results of public consultation,
Ø 

 
Expert judgment.


iii.     Rate the risk likelihood and impact using either a 3-band or 5-band rating scale

Risk likelihood and impact can be rated on either a 3-band rating scale or a 5 band rating scale (or in some instances in a 4-band scale). Choose a rating scale that is most convenient to your organisation, the general guidance is:
Ø  Organizations who are conducting risk assessment for the first time would start with a 3-band rating, and move to a 5-band rating at later stages.
Ø  Organisation  with  a  mature  risk  management  practice  would  be  advised  to maintain their current rating bands.

  1. For a 3-band rating scale, risk are rated as High, Medium or Low (this is for both likelihood and Impact), with symbols and numbers as shown in Table 5:

Table : Risk Ratings in 3-Band Rating Scale

Number
Impact
Likelihood
3
High (H)
High (H)
2
Medium (M)
Medium (M)
1
Low  (L)
Low  (L)

  1. For a 5-band rating scale risk for both impact and likelihood are classified as Very High, High, Medium Low, or Very Low:


Table below provides the 5 band rating scales for both impact and likelihood:
Table : Risk Ratings in 5-Band Rating Scale
Number
Impact
Likelihood
5
Very High (VH) also Catastrophic
Very High (VH) also Almost certain
4
High (H) also Major
High (H) also Likely
3
Medium (M) also Moderate
Medium (M) also Possible
2
Low  (L) also Minor
Low  (L) also Unlikely
1
Very Low (VL) also Insignificant
Very Low (VL) also Rare

   Tables below give more detailed classification guidance on the nature of each scale.
 

 

 

 
Table : Classification Guidance on Risk Impact

Rank
Score
Explanatory Note
Very High
(Catastrophic)

5
Non-delivery of services/ impact that would result in failure to achieve three or more of our strategic aims, objectives or key performance targets
Significant financial loss (e.g. budget reduction by 20%)
Multiple loss of life and/or loss of reputation or image that may take more than five (5)  years to recover or involves litigation
Event that involves significant management time
High
(Major)

4
Non-delivery of services/ impact that would result in failure to achieve one to two of our strategic aims, objectives or key performance targets High financial loss (e.g. budget reduction by 10%)
Multiple loss of life and/or loss of reputation or image that may take 2-
5  years to recover or involves litigation
Event that involves relatively higher management time
Medium
(Moderate)

3
Partial delivery of services/ restricted ability to achieve one or more of our strategic aims, objectives or key performance targets
Moderate financial loss (e.g. budget reduction by 5%)
Moderate loss of life and/or loss of reputation or image that may take 1 year to recover
Low
(Minor)

2
Delivery of services with acceptable levels of problems/ some aspects of one or more of our strategic aims, objectives or key performance targets
Minor financial loss (e.g. budget reduction below 5%)
Event that involves little management time
Very Low
(Insignificant)

1
No impact
Insignificant financial Loss



 

 

 

 
Table : Classification Guidance on Risk Likelihood

Rank
Score
Explanatory Note
Very High
(Almost
Certain)

5
    The adverse event will definitely occur, probably multiple times in a year.
High
(Likely)

4
The adverse event is expected to occur in most circumstances eg from
60% onwards chance of occurring in the next 12 months or 6 out of every 10 years. History of events in the institution or similar organizations.
Medium
(Possible)

3
The  risk  event  should  occur  at  sometime  e.g.  between  10%-59%
chance of occurring in the next 12 months or between 2- 5 out of every
10 years. i.e. (50/50 chance of occurring within the next year).
Low
(Unlikely)

2
The risk event may occur only in exceptional circumstances e.g. below
10% chance of occurring in the next 12 months or once in 10 years
Very Low
(Rare)

1
Highly unlikely to occur in the next 5 years. No history of adverse event in the organisation

iv.      Determine the overall risk rating


Once you have rated the likelihood and impact, combine the two to determine the overall risk rating. This is done by multiplying the two (i.e. likelihood x impact).

  1.   If you used a 3-band rating scale, the highest level of product is 9 and the lowest level is 1. A risk at 1-2 is low, is also depicted by green color; 3-5 is medium, also depicted by yellow or amber color and, 6-9 is high also depicted by red color (Table  provides illustration of risk rank or total with colour and appropriate responses):

Table : Risk Rank Levels, Colour Expression and Responses for 3-Band Rating Scale

Table Risk status
(Impact x Likelihood)
Color
Meaning and Response Required

1, 2

Green
Low concern; occasional monitoring.
Tolerate; continue with existing measures and review annually.

3,4,5

Yellow
Moderate concern; steady improvement
needed.
Possibly review biannually

6,7,8,9

Red
Very serious concern; highest priority.
Take immediate action and review regularly.

  1. If you used a 5-band scale, the highest level of product is 25 (i.e. 5 x 5) and the lowest level is 1 (i.e. 1 x 1).
  2. Table provides, the ranking, colors and possible responses:


Table : Risk Rank Levels, Colour Expression and Responses for 5-Band Rating Scale

Total Risk/
Risk Status

(Impact x
Likelihood)
Description
Expression in
Colour
Meaning and Responses

15-25

Extreme or severe

Red

Very serious concern; highest priority. Take immediate action and review regularly.

10-14

High

Light brown

Serious concern; higher priority. Take immediate action and review at least three times a year

5-9

Moderate

Yellow

Moderate concern; steady improvement needed.

Possibly review biannually

1-4

Low

Green

Low concern; occasional monitoring. Tolerate/ Accept. Continue with existing measures and review annually.

  1. All the risk ratings obtained in the above process should be filled in the appropriate sections in the risk identification sheet.






Risks Evaluation

Risk  evaluation  involves  comparing  a  risk’s  overall  exposure against  the   or ganisati on’s   risk tolerance. The purpose of risk evaluation is to make decisions, based on the outcomes of risk analysis, about which risks need treatment and to priorities treatments.
The output of a risk evaluation generally consists of a prioritized list of risks that require further action.

The following key steps are involved in evaluating risks:

i.      Rank the risks using the risk heat map
a)     Risks can be ranked either qualitatively or quantitatively.
b)    Applying qualitative analysis, the most common approach to visually recording risk is through use of risk heat maps. This can be done using a 5 by 5 Heat Map.  Note also here that if you are using a 3 level band rating scale, then the Risk Heat Map will be 3 by 3.
c)     This is sometime referred to as a Risk Matrix.
d)    The heat map is a colour-codes matrix with each colour indicating the level of risk.
e)     This heat map represents the tolerance level of your organization.
f)      Based on the control effective rating, likelihood of the risk occurring and potential consequences identified in the earlier phase, plot the risks against the matrix.
g)    Applying semi-quantitative analysis, the organization can also rank the risks based on their numerical value.
h)    The numerical value is a combination of the values assigned by the organization to control effectiveness, likelihood and consequence.

ii.               Consider the overall risk profile
  1. Once  the  initial  risk  profile  has  been  developed,  the  organization  may  need  to consider how each risk ranks in relation to the other risks.

  1. The steps allows the organization to conduct a sanity check of the risks that have been placed on the heat map to ensure that risk are rated correctly when compared to each other.
  2. Possible outcomes of this step include:
Ø  To reassess the rating of some of the risks if it is felt that the overall spread of the risks relative to each other is not a true reflection of reality.
Ø  To recognize that some risks are similar to the other risks, or are contributing factors to other risks. Hence may be incorporated into the risk description of other risks within the risk register.
Ø  To consider the interdependences between the risks and consider the consequence on the organization if more than one risk occurred at the same time. This may result in changes to the overall risk ratings.

iii.     Develop priority list of risks
a)  The primary objective of evaluation is to priorities risks.
b)  This helps to inform the allocation of resources to manage risks, both non-financial and financial.
c)  The priority list can be categorized by a number of different criteria dependent on what is most relevant for the organization e.g. risk rating, functional area or by type of impact (i.e. strategic or operational).
d)  This will further refine the focus for the risk treatment.

Comments

Post a Comment

Popular posts from this blog

Routes of communications and their advantages and disadvantages

Communication has been defined as exchange of information creating and maintaining relationship as well as sharing understanding with those around us. Also communication is defined as process in which people share information, ideas and feelings. It involves spoken and written words, body language personal mannerisms, styles and anything that adds meaning to a message. Therefore, Communication is a transfer of information to achieve a goal. Organizational communication is the process by which information is shared within organizations such as businesses. Outside of informal social interactions, individuals in an organization typically communicate with coworkers in their departments who have attained the same status they have, or they communicate with their direct superiors or subordinates. Routs of Communication are ways in which information transfer from one place/person to another, these are: Lateral/Horizontal communication  is  communication  b...
Read more

How to listen properly? - Strategies to improve listening skills

Image
Strategies to improve listening skills Most groups of people such as students spend a lot of time listening to their teachers/instructors during learning/class sessions. Listening is practiced in our daily life experiences. It is important to improve the level of listening so that to improve communication. Oral communication is the one mostly involving the listening skills. Various strategies can be used to improve listening skills. Some of these strategies have been stipulated here below; Maintain eye contact with the instructor. Eye contact keeps you focused on the subject matter at hand and keeps you involved in the matter. Eye contact Increases the level of concentration and understanding. If eye contact is not maintained, it is likely to lose focus, concentration and understandability. Focus on content, not delivery. Content carries the message that someone is about to deliver during the speech. Focusing on the content increases the level of understandabil...
Read more