Risk Management Process: Identifying Risks
Risk Management is an inherent process within organizations operating across all industries and sectors for business sustainability in today’s competitive and complex environment. It is now one of the most important decision-making functions in an organization compared to the times when Risk Management was considered as a Support Function. Risk Management was seen as a Corporate Function related to Insurance & Finance with no relation to the other scope of business operations. Over time, the concept of “Risk” has gradually evolved and now plays a significant role in organizational effectiveness and is integrated into the organizational strategic objectives and daily practices.
As per ISO 31000 – International Risk Management System Standard, the Risk Management Process consists of Risk Identification, Risk Analysis, Risk Evaluation, Risk Treatment, Risk Monitor & Review, Risk Communication & Culture, etc.
The risk identification method involves a strategy for identifying, recognizing, and describing risks that may aid or obstruct the attainment of goals and their many concrete and intangible effects. There are multiple risks faced and exposed by an organization concerning internal and external factors such as Environmental Risk, Financial Risk, Human Resource Risk, Health & Safety Risk, Operational Risk, Security Risk, Strategic Risk, etc.
It is of high significance that the organization should adopt measures to identify high-level risks related to the Project, Operational, Financial, Legal, Compliance, Reputational, Stakeholder Interface, Natural Disaster and Strategic, etc. aspects of the organization.
The objective of the Risk Identification process is to identify a comprehensive list of risks and events that might impact the achievement of the organization’s strategic objectives, including weaknesses, opportunities, threats, and sub-optimized results.
Identifying Risks is the first step in understanding the risks that may prevent the organization from achieving its objectives, its overall risk exposure, and how risks should be managed.
The following should be considered while identifying risks across business operations in the organization:
- What is the Risk? What can happen if it is not treated? List the Risk & Possible Events
- Why and how can the risk create a negative impact on the organization? List the root cause and event scenarios.
- How can the risk be treated? List the tools and techniques to approach and treat the risk
All risks should be identified, regardless of whether they are under the organization’s jurisdiction authority or related to the organizational business operations.
There are various risk identification tools utilized by organizations depending on the scope of business operations and other factors such as Management Systems, etc. Some of the Risk Identification tools include:
- Bow Tie Analysis
- Hazard & Operability Studies (HAZOP)
- Monte Carlos Simulation
- Risk Register
- SWOT Analysis
- Event Tree Analysis
- Fault Tree Analysis
Risk registers are a common tool used when undergoing risk identification processes. ERM Risk registers are different than the risk and control matrices commonly used in internal audits. ERM risk registers represent risks to achieving strategic objectives, whereas risk registers for controls and internal audit purposes are generally at the process, activity, and task level.
Risk Assessment is to identify potential threats due to which risks are classified by using two separate values: Likelihood and Impact. Specifically, the main objective of Risk Assessment is to understand the threat. Risk Assessment is mainly undertaken to: Identify and Record all Potential Threats and to provide those threats a Comparative Risk Value on a quantitative and qualitative aspect. The likelihood is described on different units such as once every 10 years, once every hundred times, once every 24 hours, etc. The impact is also described in different ways based on factors such as Safety (Lives Saved/Lost), Financial Loss, Production (Hours Saved/Lost), Reputational Loss, Asset Lost, etc.
- Anon, 2017. National Risk Register of Civil Emergencies: 2017 edition, London: Cabinet Office.
- Leitch, M. (2010). ISO 31000:2009-The New International Standard on Risk Management. Risk Analysis, 30(6), pp.887–892.
- International Organization For Standardization (2012). Societal security: business continuity management systems requirements. Geneva: International Organization For Standardization.
- org. (2021). [online] Available at: https://www.iso.org/obp/ui/#iso:std:iso:22301:ed-2:v1:en.
- British Standards Institution (2014). Crisis management: guidance and good practice. London: British Standards Institution.
- Global Risks 2019. (n.d.). The Global Risks Report 2019. [online] Available at: http://reports.weforum.org/global-risks-2019/?doing_wp_cron=1634906993.6807320117950439453125 [Accessed 22 Oct. 2021].
Blog Author: Kartik Unnikrishnan – Student Risk Committee Member, IRM India Affiliate