Reduce your risk …
Increase your prosperity

RISK.COM.AU IS FOR SALE
Risk Management
Risk Assessment
Risk Audit and Compliance

Risk Assessment Overview

For a business to adequately protect against adverse risk events, the actual risks to the business must be thoroughly understood. The risk assessment process is undertaken to achieve this understanding and firstly necessitates documenting background information (context) relevant to the risk assessment activity. The process of risk assessment can be applied to any activity, project, entire business or a part of a business. Its application is limitless.

The Australian/New Zealand Standard Risk Management (AS/NZS 4360:2004) defines risk assessment as the process of risk identification, risk analysis and risk evaluation as follows:


Risk Identification
Risk identification is an important part of the risk assessment process and involves identifying the where, when, why and how risk events could prevent, degrade, delay or enhance the achievement of business objectives.

Risk Analysis
Risk analysis is the part of assessing risk and incorporates identification and evaluation of existing controls to determine risk consequences and risk likelihood and hence, the ultimate level of risk. Risk analysis should consider the range of potential risk consequences and how these could occur.

Risk Evaluation
Risk evaluation is the final step in the risk assessment process. Risk evaluation compares estimated levels of risk against the pre-established risk criteria and considers the balance between potential benefits and adverse risk outcomes. This enables decisions to be made about the extent and nature of risk treatments required and respective risk management priorities.

The following process of risk assessment is consistent with AS/NZS 4360:2004 and has been broken down into a number of risk assessment activities to provide a general overview. Detailed risk assessment guidance and risk assessment templates can be found within the Handbook Risk Management Guidelines Companion to AS/NZS 4360:2004.

Establishing the Context
A risk assessment cannot be carried out without first understanding the subject of the risk assessment. Documenting the context provides an overview of the business, its objectives and specific criteria for business success, the objectives and scope of the risk assessment activity and a set of key elements for structuring risk assessment activities. As part of the risk management planning process, establishing the context is an essential and very important step in the risk assessment process. It is focused on:

  1. Obtaining an understanding of the subject of the risk assessment activity and its risks.
  2. Establishing the scope of the risk assessment activity being undertaken.
  3. Developing a structure for risk assessment activities.

Elements of context requiring consideration include the internal and external environments of the business and the purpose of the risk assessment activity. The depth of information required relates directly to the size and complexity of the risk assessment activity being undertaken. A well defined risk context is invaluable to the risk assessment process and will inform the risk identification, risk analysis and risk evaluation processes.

External Context
Defining the external context includes consideration of the external environment in which the business operates and understanding the relationship between the environment, external stakeholders and the business. The external context may include the:

  1. Environment: business, social, regulatory, cultural, competitive, financial and political situation.
  2. SWOT: business strengths, weaknesses, opportunities and threats.
  3. Stakeholders: objectives and expectations of individuals, groups and organisations with a significant interest in the business.

Internal Context
Defining the internal context includes documenting the key aspects of the business and may include:

  1. Goals and objectives.
  2. Structure, function and key processes.
  3. Physical and technological infrastructure and maintenance arrangements.
  4. Locations of business sites and other operations.
  5. Details of internal stakeholders.
  6. The prevailing culture and workforce morale.
  7. Resource capabilities such as people, systems, processes and capital.

Risk Management Context
Defining the risk management context includes establishing key information related to the subject (activity, project, organisation etc) to which the risk assessment process is being applied. This includes defining the:

  1. Goals and objectives of the risk assessment activity.
  2. Scope and parameters of the risk assessment, including specific inclusions and exclusions.
  3. Identification of data sources to be utilised to inform the risk assessment.
  4. Risk assessment approach to be utilised.
  5. Risk assessment reporting and recording requirements.
  6. Relationship of the risk assessment with other business activities and plans.
  7. Risk assessment criteria against which risks are to be evaluated, such as how risk likelihood will be defined, the kinds of risk consequences that will be considered and what level of risk will require further risk reduction treatment.
  8. Key components: the subject of the risk assessment is best broken down into parts or key topics. This establishes a framework to facilitate risk identification for each part, one by one. It provides for consideration during the risk assessment process of all areas of risk and formulation of a comprehensive list of risks. The manner of establishing and selecting key topics will depend on the objectives of the risk assessment activity and the issues of concern.

Risk Identification
The process of identifying risks to be managed is best undertaken by breaking down the subject of the risk assessment into key parts or topics, as established in the risk management context. Before undertaking the risk identification process, it is important to gather information pertaining to historical incidents and emerging issues pertaining to the subject of the risk assessment activity. This may include data specific to the organisation and general information relevant to the risk assessment subject. This risk assessment information may be gathered using a range of sources including, but not limited to internal incident data, results from risk audits, staff interviews or risk assessment workshops, risk assessment questionnaires and open source data.

The process adopted for identifying a comprehensive list of risks, as part of the risk assessment will be dictated by time and budget constraints. Where the risk assessment activity requires consideration of a broad range of risks, a staged approach may be appropriate. A high level risk assessment may be undertaken to identify and assign risk assessment priorities to focus detailed risk analysis on areas of the highest priority.

The risk identification process is most effective when key stakeholders are involved in structured risk assessment workshops. Each key part or topic is reviewed one by one and the following risk factors identified:

  1. What are the sources of risk or threat: the things which have the inherent potential to harm or facilitate harm?
  2. What could happen: events or incidents that could occur whereby the source of risk or threat has an impact on the achievement of objectives?
  3. Where: the physical locations/assets where the risk event could occur or where the direct or indirect risk consequences may be experienced.
  4. When: specific times or time periods when the risk event is likely to occur and or the risk consequences realised.
  5. How: the manner or method in which the risk event or incident could occur?
  6. Causes: what are the direct and indirect risk factors that create the source of risk or threat?
  7. Business consequences: what would be the impact on objectives if the risk was realised?
  8. Business areas / stakeholders affected: what parts of the business and what stakeholders might be involved or impacted by the risk?
  9. Existing Risk Controls: a preliminary review is undertaken to identify existing risk controls (detailed review is completed during the risk analysis process):
  10. What risk controls currently exist to minimise the likelihood and consequences of each risk?
  11. What vulnerabilities exist that could undermine the effectiveness of the risk controls?

When each part or key topic has been reviewed and a list of all risks established, consideration is given to whether the list is comprehensive, the objectives and scope of the risk assessment activity have been adequately covered and whether the risk information relied upon is valid and credible.

Record your information in this sample Risk Register template with automated ratings functionality. You can modify the risk criteria to suite your own organisation risk needs and appetite.

Risk Analysis
The risk analysis process involves developing a clear understanding of the level and nature of each risk identified. Risk analysis informs decisions on whether additional treatment is required and what strategies will be most appropriate and cost-effective to implement. Risk analysis incorporates consideration of the sources of risk, the potential risk consequences should the risk be realised and likelihood those risk consequences will occur. The level of each risk is defined by combining the risk consequences and likelihood to establish a risk rating.

The risk assessment may be undertaken using qualitative risk analysis, quantitative risk analysis or semi-quantitative risk analysis. Detailed information on each method of risk analysis and their associated processes can be found within the Risk Management Guidelines Companion to AS/NZS 4360:2004.

Preliminary risk analysis
A preliminary risk analysis to identify and where appropriate, combine similar risks and exclude low impact risks from further risk analysis can achieve heightened risk analysis efficiency. Any risks excluded at this stage are best retained on the risk register, as this demonstrates completeness of the risk assessment process.

Assess existing risk controls
A review of existing risk controls, as documented for each risk during the risk identification process is undertaken to assess their strengths and weaknesses and subsequent effectiveness in minimising the risk. Risk controls can act to reduce either the likelihood of the risk being realised, the severity of the resulting risk consequences or both.

Risk consequences and risk likelihood
Similar to the risk identification process, the use of reliable information is used to inform the risk analysis of risk consequences and risk likelihood. The magnitude and severity of risk consequences, should a risk be realised and the likelihood of the risk event occurring and its associated consequences, are subject to risk analysis in the context of the effectiveness of existing risk controls.

A risk rating is assigned to the risk consequences and likelihood of each risk to establish a risk rating. The overall level of risk supports establishment of risk treatment priorities and informs development of risk treatment options.

Uncertainty of risk
Uncertainty is inherent in risk. Even when robust risk management is in place and an indepth risk assessment undertaken, uncertainty around some risks can prevail. Such uncertainty can be characterised by the fact that: We do not know what we do not know....

There are ways to deal with uncertainty and variability, including sourcing additional risk assessment information where uncertainty prevails. However, in some circumstances even in depth risk analysis and implementation of risk controls may not resolve such uncertainty.

Risk Evaluation
The process of evaluating risk informs decision-making on which risks require treatment and the priorities for implementation of risk treatment. The rating of each risk is reviewed against the risk criteria established in the risk management context, to determine the need for and type of risk action to be considered.

Tolerable Risk
Tolerable risk is a concept originating in the late 1980s, whereby Sir Frank Layfield noted that....although acceptable risk is often used in balancing risks and benefits, it does not adequately convey the reluctance with which possibly substantial risks and benefits may be tolerated.

The As Low As Reasonably Practicable (ALARP) concept emerged, whereby a spectrum of three broad risk bands was established to evaluate risk.

  1. Lower band: risks are negligible and no risk treatment measures are required.
  2. Middle band: benefits are considered against potential adverse consequences.
  3. Upper band: adverse risks require treatment whatever their cost and regardless of the benefits the activity may bring.

A risk is characterised as ALARP when there is retention of significant health, safety and environmental consequences, despite implementation of treatment measures. Such risks are often of an indirect nature and are consequence driven i.e. the source of risk is not within the control of the organisation, such as earthquakes and terrorism.

When a risk is close to the intolerable level, the expectation is that risk will be reduced unless the cost of doing so is grossly disproportionate to the benefits gained. Similarly, where a risk is close to the negligible level, then action may only be required to reduce the risk where the benefit exceeds the cost of reduction.

ALARP is a risk evaluation approach focused on the practicality of whether anything can be done to reduce the risk and the costs and benefits associated with taking, or not taking action to reduce the level of risk.