Nov 07, 2020
Enumeration of risks
The first step in comprehensive risk management is to define the scope of the assessment. In many cases the overall risk of an entire company needs to be evaluated. Alternatively, a sub-section – e.g. a business unit or a country organization – may be in the assessment scope.
In the second step, those in-scope risks are to be listed which objectively and according to the gut feelings can cause significant financial damage. For example, “Destruction of production site 2 by fire or bomb attack” can be listed here. Or “power failure in the administration building”. This list can become quite long, but don’t let that put you off.
Whether you insert risks from an existing SWOT analysis here depends on your focus.
Once the list has been drawn up, the time has come for estimates and assumptions. Two values should be added to each of the identified risks:
- Damage (loss of life, financial damage) when the risk occurs
- Probability that the risk will occur.
The damage should be quantified in monetary units. The probability of occurrence ought to be estimated over a certain period of time (e.g. 5 or 10 years) and as a percentage. The challenge here is to apply these two estimates consistently across the risk list.
Procedure methods
Brainstorming and group work with subsequent coordination have proven to be suitable for identifying and assessing risk elements. Experience has shown that the second approach brings better results, since the points are taken up twice and, as a rule, different approaches have to be compared. As soon as the corresponding values have been agreed, the assessment can begin.
The following assessment is quite simple. The two estimated values of “costs in the event of damage” and the “probability of occurrence” are multiplied for each identified risk element. The result (product) of the arithmetic operation represents the assessed risk value. The list is now sorted according to this assessed risk value, so that the highest value is on top. Reviewing the list reveals the critical areas.
Gain some distance
It is advisable to let the evaluated list rest for a while and only look through it again after a few days.
- Have assessments or evaluations changed?
- Should one or the other position be adjusted?
- Can a colleague from another team give a more precise assessment?
- Would a senior management review be helpful?
Don’t worry if everything doesn’t seem to be going right in the first and second rounds. The risk assessment should generally be repeated every 6 to 12 months. Only in this way can changed situations be dealt with more or less promptly.
Once the list of risks has consolidated with the assessments and essentially a consensus has been reached, the real work begins.
Responsibility and deadline
A person responsible for the treatment is assigned to each risk item and a date is set for the definition of the measures and / or their implementation. In the first round, in most cases an attempt will be made to reduce the risks, i.e. to mitigate them.
The measures that are introduced for risk management should be documented and traceable. A ticket system can provide the necessary support.
Treatment of Risks
Each risk can be addressed in at least one way – or a combination of:
- Mitigation
- Transfer
- Acceptance
Mitigation is about reducing the probability of occurrence and / or the potential amount of damage. Proactive or reactive measures can be provided here. Fire extinguishers do not reduce the likelihood of a fire breaking out; if used correctly and promptly, a fire will cause less damage – a clearly reactive measure.
Continuous monitoring of the temperature of a production process and automatic shutdown after reaching a critical value would then be a proactive measure that ensures that no fire breaks out.
If risks cannot be mitigated easily or at reasonable costs, it must be checked whether a transfer is possible. As a rule, this means that appropriate insurance coverage is procured. Depending on the nature of the risk and the amount of damage to be insured, this can be a difficult undertaking. Insurance brokers such as Lloyd’s London, who show a great deal of flexibility here, often offer a remedy.
If the risks are reduced to a manageable level, there is often a residual risk that can no longer be treated economically. The Pareto principle also applies here. Here companies can accept the risk and, if necessary, may take internal precautions.
The risks – or residual risks – that can no longer be mitigated or transferred – must be accepted by the organization. Here the management is responsible. Those responsible must be aware of these remaining risks.
Cost / benefit considerations
Since nothing happens in risk treatment without the necessary resources (time, money) being made available, the possible variants must now be compared. Here, too, several iterations are usually necessary.
Keep list up to date
As the risks are dealt with, they will disappear from the list or be assessed differently. But new risks are constantly emerging. It is therefore sensible and necessary to repeat this risk assessment every 6 to 12 months.
Maintain compliance
All compliance standards that include a risk assessment require that this assessment be repeated periodically – usually at least once a year. In this way, the requirements of the compliance standards can be met.
The following standards, among others, can be used as guidelines for risk assessment models: OCTAVE, ISO 27005 and NIST SP 800-30.
Fragen oder Kommentare?
Rufen Sie uns an!
Daniel Linder
Senior Consultant
Tel +41 58 311 1024