Techniques and Methods [Analysis]
Despite the necessity for all businesses and managers to be able to evaluate and prioritise risk issues, there still remains significant disparity in the comprehension of risk issues, the methodology employed and the techniques used.
This week’s article comes from Wesley Thomson, a next generation security professional currently studying for his Bachelor of Science-BSc (Hons), Risk & Security Management, based in Capetown, South Africa. He shares some valuable insights and helps to educate and standardise more of the risk assesment process.
Risk is an integral part of everyday life for both individuals as well as larger organisations such as government and private sector corporations. The success or failure of such corporations often depends on the manner in which these risks are managed. Risk is defined in the oxford dictionary as ‘a situation involving exposure to danger’ or rather ‘the possibility that something unpleasant or unwelcome will happen’ (“Risk”, 2014). The international guide to risk definitions, which is the ISO Guide 73, defines risk as the ‘effect of uncertainty on objectives’ (International Organization for Standardization, 2009). From these three definitions three common denominators can be identified. These three common attributes are that there is an event that occurs, the probability that the event will occur, and the effect this event will have on an objective. The management of these three aspects can be seen as risk management.
Risk management is key to the successful achievement of objectives for any organisation. There are many benefits of risk management, both at an individual level as well as at an enterprise level. Organisations with mature risk frameworks and procedures benefit from knowing that they comply with regulations, that they offer assurance to stakeholders that objectives will be achieved, are more likely to make correct decisions as the information available for making decisions is comprehensive, and have peace of mind knowing that business processes and procedures are efficient and not counter-productive (Hopkin 2010, p. 4). Ultimately this will all lead to an attractive return on investment through the successful achievement of objectives. Risk assessment is part of the overall framework on which risk management can be built (Great Britain. HM Treasury, 2013, p. 13). Most risk frameworks use a risk management process that consists of 5 phases. These phases are identification, assessment, response, report, and review. Risk assessment is important and actively makes up the first two phases, as well as being used to inform practitioners how to proceed with the third phase (BSI Standards, 2008, p. 18).
Risk assessment can be described as the process of identifying risk, analysing said risk, and the evaluation of the risk (International Organization for Standardization, 2009). This process is key to the overall success of risk management. It is a skill that requires intricate knowledge of the organisation, the environment in which it operates, as well as the rules and regulations that govern it (The Institute of Risk Management, 2010, p. 8; Ostrom & Wilhelmsen, 2012, p. 224). There are no set rules or processes when performing a risk assessment, only personal or collective judgment as well as a vast array of tools and techniques developed to help in the process. These tools and techniques ensure that the risk assessment process is as complete as possible, ensuring that as many risks are identified as possible. This leads to a holistic approach and ensures that a comprehensive and well thought out risk assessment has been performed. Risk assessment is not an independent process and should therefore not be treated as such. The successful completion of a risk assessment should lead to a risk report that inevitably should be used in the decision process of risk response (Hopkin, 2010, p. 121). Failure to do this would lead to an inadequate risk management program. This essay will discuss techniques and approaches used to identify, analyse and evaluate risks.
The first step when conducting a risk assessment is the identification of all risks that might be associated with the internal and external aspects of the organisation. It is important for the risk manager to identify all external as well as internal factors that are at risk. Risk identification is the ‘process of finding, recognizing and describing risks’ (International Organization for Standardization, 2009). There are numerous ways in which to identify risks. Choosing the correct tool for an organisation often depends on the culture in the orginasation. If the culture of the orginisation is that of solidarity and individualism then a questionnaire would suite this environment better than a brainstorming session. The simplest way in which to identify risk is by walking around an organisation with a clip board and writing down risks as they appear (Health and Safety Executive, 2011, p. 1); although this might not be seen as a completely comprehensive approach and should be used in conjunction with other risk identification tools. This can be done by arranging a workshop or brainstorming session with a group of employees from different departments of the organisation. The benefits of holding such meetings are that there will be a consolidation of opinions from a group of people from different parts of the organisation (Committee of Sponsoring Organizations of the Tradeway Commission, 2012, p. 9). The problem with this technique is that upper management often dominates meetings of this kind. It will also not work if the culture of the organisation is one of solidarity as well as if the incorrect people are involved (Hopkins, 2010, p. 124). An approach whereby a mixture of methods, such as the use of checklist as well as group meetings, will ensure that a more comprehensive approach towards risk identification is taken.
The next step is to analyse all the risks that have been identified. Risk analysis is a ‘process to comprehend the nature of risk and to determine the level of risks’ (International Organization for Standardization, 2009). Like risk identification there are tools and techniques that a practitioner can use to aid in the process of risk analysis. When conducting a risk analysis it is essential to look at each risk and verify that the risk is indeed a risk. Once the risk has been verified it can then be prioritized. By prioritising a risk the likelihood of the risk occurring and the consequences that come with the related risk, be that positive or negative, are recorded (BSI Standards, 2008, p. 18). The use of a risk matrix is common when prioritising risk. A risk matrix is a visual scale that demonstrates the relationship between the likelihood and consequence of a risk (Hopkin, 2010, p. 125). The great the likelihood and the more severe the consequence the higher the risk is ranked. These two variables are independent of each other. This means that if the likelihood of a risk increases it does not necessarily mean that the consequence would increase. The use of a risk matrix will aid in the understanding of each risk as well as assigning each risk a risk level (BSI Standards, 2011, p. 34).
A technique often used in the chemical process industry is the HAZOP approach. This is a Hazard and Operability study. This technique involves the methodical and holistic analysis of processes and operations of an organisation. It aids in the identification, evaluation, and ultimately the mitigation of risk. In essence a process is identified and fully describe. The process is then questioned to assess how deviations could alter the processes outcome. These deviations are then noted and analysed to assess their likelihood and consequences (Hurford, 2012, p. 28). This technique has many benefits and is commonly used, as it is a systematic way of identifying risk. The result of knowledge drawn from a meeting of collectively very experienced individuals is invaluable. There are, however, limitations as to how effective HAZOP studies are. Main issues arise when the HAZOP teams are comprised of inexperienced individuals. This leads to the loss of a systematic approach and this can lead to risks being missed (Casey, 2013, p. 23). Other issues such as the facility in which the meeting is held, poor meeting minutes, and team tiredness are also factors to consider (Feltoe, 2013, p. 22).
The final process in a risk assessment is the evaluation of the identified and anaylised risks. This is the ‘process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable’ (International Organization for Standardization, 2009). Now that all risks have been identified and prioritized, according to their impact and likelihood, they can be compared to the risk criteria set out by the organization. To understand and fully appreciate whether a risk might or might not be tolerable there needs to be a good understanding of the organisations risk appetite (BSI Standards, 2008, p. 13). A well-developed risk appetite should be measurable, integrated and governed (The Institute of Risk Management, 2011, p. 7). Ultimately the outcome of risk evaluation will be a decision for each risk as to how the risk is going to be mitigated or transferred, or whether the risk is within the risk appetite and can be tolerated.
The importance of risk management cannot be stressed upon enough. A risk management program is only as successful as the individual processes within the framework. This ultimately means that the process of risk assessment is only beneficial if the outcome of it leads and is used in the overall mitigation or pursuance of risk (Hopkin, 2010, p. 121). The complex nature of risk requires the use of many tools and techniques to fully appreciate the nature and prominence of risks faced by an organisation. These tools and techniques are for nothing if not used by a practitioner with experience in risk management. The practitioner should have adequate knowledge of what the organisation is about and who the main stakeholders are. HM Treasury have describe the act of risk assessment as ‘more of an art than a science’ (2013, p. 19). It is important to realise that risk is about events of uncertainty that can cause loss as well as opportunity. Risk assessment is important not only in identifying possible hazard and control risks, it is also useful in the function of identifying potential opportunities. This could mean the identification of an opportunity to improve business strategy, projects, or operations (Hopkin, 2010, p. 160)
When dealing with risk management there are a lot of things to consider. It is important for the practitioner to choose tools that align themselves with the organisation and its risk appetite. The culture in the organisation is important when deciding on which tools and techniques to use. For a risk assessment to be completely holistic and comprehensive the practitioner should realize that the organisation operates in an every-changing environment, meaning that risk management is an on going cycle. It is also important to ensure that all aspects of the organisations operations are taken into account, this include external service providers as well as environmental consideration such as exchange rate (Great Britain. HM Treasury, 2013, p. 9).
BSI Standards. (2008). Risk Management- Code of Practice. Retrieved from http://eds.b.ebscohost.com/eds/detail?vid=2&sid=20807889-173d-45a7-afcf-12f22f78ffd7%40sessionmgr115&hid=115&bdata=JnNpdGU9ZWRzLWxpdmU%3d#db=edsbsi&AN=edsbsi.30191339
BSI Standards. (2011). Risk management. Code of practice and guidance for the implementation of BS ISO 31000. Retrieved from https://bsol.bsigroup.com/Bibliographic/BibliographicInfoData/000000000030228064
Casey, R. (2013). Why HAZOPs can fail. Loss Prevention Bulletin (232), 23-25. Retrieved fromhttp://eds.a.ebscohost.com/eds/detail?vid=2&sid=3d50dccf-4d7d-4ac3-8724-f6f40f951eee%40sessionmgr4002&hid=4103&bdata=JnNpdGU9ZWRzLWxpdmU%3d#db=bth&AN=89984382
Committee of Sponsoring Organizations of the Tradeway Commission. (2012). ERM Risk Assessment in Practice. Retrieved from http://www.coso.org/guidance.htm
Feltoe, C. (2013). HAZOP failure. Loss Prevention Bulletin (232), 19-22. Retrieved fromhttp://eds.a.ebscohost.com/eds/detail?vid=2&sid=50437c65-24a4-46e7-8e3c-b77b966e2fb1%40sessionmgr4002&hid=4103&bdata=JnNpdGU9ZWRzLWxpdmU%3d#db=bth&AN=89984381
Great Britain. HM Treasury. (2013). Orange Book: Management of risk – Principles and Concepts. Retrieved fromhttps://www.gov.uk/government/publications/orange-book
Health and Safety Executive. (2011). 5 steps to risk assessment. Retrieved from http://www.hse.gov.uk/risk/fivesteps.htm
Hopkin, P. (2010). Fundamentals of Risk Management. Great Britain and the United States: Kogan Page Limited.
Hurford, P. (2012, June). Intro to Hazard and Operability (HAZOP) studies. Engineering and Manufacturing, 28. Retrieved from eds.a.ebscohost.com/eds/detail?vid=5&sid=dfb5b266-14f3-4276-8a81-b06139080a8b%40sessionmgr4002&hid=4103&bdata=JnNpdGU9ZWRzLWxpdmU%3d#db=bth&AN=78122280
International Organization for Standardization. (2009). ISO/Guide 73:2009. Retrieved fromhttps://www.iso.org/obp/ui/#iso:std:iso:guide:73:ed-1:v1:en
Ostrom, L.T., & Wilhelmsen, C.A. (2012). Risk Assessment: Tools, Techniques, and Their Applications. Retrieved fromhttp://lib.myilibrary.com/Open.aspx?id=370320
Risk. (n.d.). In Oxford Dictionaries online. Retrieved from http://www.oxforddictionaries.com/definition/english/risk?q=risk
The Institute of Risk Management. (2010). A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000. Retrieved from http://www.theirm.org/documents/SARM_FINAL.pdf
The Institute of Risk Management. (2011). Risk Appetite and Risk Tolerance. Retrieved fromhttp://www.theirm.org/publications/risk_appetite.html