IRM ERM M1U3.3 - Identification of Risks Flashcards
ISO 31000 Risk identification
ISO 31000 states that “the purpose of risk identification is to find, recognise and describe risks that might help or prevent an organisation achieving its objectives”.
Risk Assessment three stages:
Risk Assessment comprises three stages:
Risk identification – what are the risks?
Risk analysis – how important are they?
Risk evaluation – so what now? Do we need to take action?
Investigating the consequences of a risk helps to …
Investigating the consequences of a risk helps us to understand the impact on specific aspects of our organisation such as
objectives,
core processes,
key dependencies
and stakeholders;
it helps us see where things can go wrong as the result of a negative risk event
Risk description metalanguage
Taking risk description further, it is important to ensure that the language used separates the causes, risks and :consequences:
Causes have happened or are happening, so we use facts and factual language. i.e due to, because of, as a result
Risks are uncertainties so we only use uncertain language. i.e. we might not able to
Consequences are impacts on objectives that would happen if the risk occurred, with positive impacts indicating an opportunity and negative impacts indicating a threat. i.e. leading to inability, whould would have a positive impact
Benefits of using this risk metalanguage, and articulating and describing risks well, are:
In summary, some of the benefits of using this risk metalanguage, and articulating and describing risks well, are:
Knowledge of the causes
Understanding the context provides information on how likely the risk is to happen to support risk analysis
Recognising areas of weakness in the causes, identifies areas that can be managed to change how likely the risk is to occur
Clear statement of the risk
Knowledge of the consequences
Understanding the effects on objectives should the risk happen provides information on the impact to support risk analysis
Recognising areas of weakness in the consequences, identifies areas that can be managed to change the impact should the risk occur
This further knowledge of the likelihood, impact and areas of weakness, helps understand the effort needed to manage the risk further and identify who should be the risk owner
Issue & Risk
There is also a tendency in some organisations to strongly differentiate between issues and risks.
An issue is a risk that has happened, and therefore there is no uncertainty anymore.
Understanding issues is important to risk management as often these issues may have the potential to repeat, or trigger risks as a result of the issue occurring.
The concept of known unknowns
Q. Facts We know what we know. Normally has happened. i.e incident, issues, events - Q. What do I know I know?
Surprise / Black swans. We don’t know what we don’t know Q. What do I know I don’t know, but acknowledge?
Acknowledged risk. We know what we don’t know. Q I acknowledge there will always be something that surprises me… but to reduce this potential, I’m going to seek:
Elephants in the room. We know our risks but ignore, don’t recognise Q. What do I know I don’t know, but am not acknowledging?
Hopkin and Thompson 5 techniques for risk assessment
Hopkin and Thompson introduce five techniques for risk assessment – for identifying risks, for deciding on the severity of the risks (risk analysis) and deciding on whether the risks need to be treated (risk evaluation).
(1) checklists and questionnaires;
(2) workshops and brainstorming;
(3) inspections and audits;
(4) flowcharts and dependency analysis;
and 5) crowd sourcing technology.
Qualitative brainstorming structures at a risk assessment workshop
SWOT and PESTLE analyses.
The SWOT analysis has the benefit that it also considers the upside of risk by evaluating opportunities in the external environment. One of the strengths of the SWOT analysis is that it can be linked to strategic decisions.
However, because it is not a structured risk classification system, there is a possibility that not all of the risks will be identified.
Techniques for undertaking quantitative evaluations.
Hazard and operability (HAZOP) studies
failure modes effects analysis (FMEA).
Both of these techniques are structured approaches that ensure that few risks are omitted.
However, the involvement of a wide range of experts is required in order to undertake an accurate quantitative analysis.
HAZOP and FMEA techniques are most easily applied to manufacturing operations.
HAZOP studies examples
HAZOP studies are often undertaken of hazardous chemical installations and complex transport structures, such as railways.
Also, HAZOP studies of complex installations, such as nuclear power stations, are often undertaken. They can also be applied to the analysis of the safety of products. In both cases, these are very analytical and time-consuming approaches, but such an approach will be necessary in a wide range of circumstances.
Techniques for risk assessment analysis
Questionnaires and checklists
Consistent structure guarantees consistency Greater involvement than in a workshop Rigid approach may result in some risks being missed Questions will be based on historical knowledge
Workshops and brainstorming Consolidated opinions from all interested parties Greater interaction produces more ideas Senior management tends to dominate Issues will be missed if incorrect people involved
Inspections and audits Physical evidence forms the basis of opinion Audit approach results in good structure Inspections are more suitable for hazard risks Audit approach tends to focus on historical experience
Flow charts and dependency analyses Useful output that may be used elsewhere Analysis produces better understanding of processes
Definitions of emerging risk
“a risk that is evolving in areas and ways where the body of available knowledge is weak. IRM’s Charities Special Interest Group
International Risk Governance Council definition of emerging risk as “a risk that is new, or a familiar risk in a new or unfamiliar context or under new context conditions (re-emerging).
Emerging risks [are issues that] are perceived to be potentially significant, but which may not be fully understood and assessed, thus not allowing risk management option to be developed with confidence.”
As noted in the IRM (2021) paper, tackling emerging risks enables organisations to build and maintain resilience, so that they are more likely to survive and perhaps thrive in these very uncertain times.
Reasons why organisations choose to classify risks.
There are different reasons why organisations choose to classify risks. Risk classification:
Provides structure to the process of risk identification, which can facilitate the identification of more risks – for example, by delegates in a risk management workshop – than would be the case if a risk classification does not exist.
Helps with the development of consistent risk terminologies across the organisation, which is essential for ERM to work.
Enables the organisation to collect similar risk types throughout the organisation, which can: enhance organisation knowledge.
assign responsibilities for specific types of risk
estimate total exposure to risk by type of risk using the expertise of relevant professionals for each risk type.
help to determine the level of risk by type that can be accepted by the organisation.
enable a bundling together of risks for similar treatment – such as single insurance policies for one type of risk – which can increase the efficiency of risk management.
Considering risk networks can help organisations:
Considering risk networks can help organisations:
better understand the effect of decisions relating to risks and their management
recognise secondary risks arising from the management of risks
improve the embedding of risk management
improve risk awareness, risk ownership and accountability
encourage greater engagement in the process.
