Connect with us

Hi, what are you looking for?


Op-Ed: A good risk management process creates a good business culture

To help to develop effective and efficient business management systems risk assessments can be valuable, both as proactive tools to protect against future disruptions to business continuity, and as a reactive tool to address an issue that has arisen. The type of assessment undertaken should be proportionate to the risk, such as a smaller assessment might be needed when a supplier changes compared with recalling a product from the market. Invariably business continuity management and risk management are interconnected.

This article outlines some best practice steps for undertaking risk management within the business setting, drawn from the experience of the author.

There are different stages of risk assessment, which are outlined below (these are adapted from the International Conference on Harmonization).

Risk identification

Risk identification is ideally prefaced with the questions: ‘What might go wrong?’ To answer this fully requires the systematic use of information. This information is used to identify hazards (something that could cause harm), selecting the hazards according to the specific risk question or problem statement.

For hazard identification, this may include an assessment of historical data, the use of theoretical analysis, seeking informed opinions, and being mindful of the concerns of stakeholders.

Risk analysis

Following the collection of all applicable data, these data need to be sorted and analyzed. The pertinent question to have in mind at this stage is: ‘What is the likelihood it will go wrong?’

Risk analysis is the estimation of the risk associated with the identified hazards. This can be achieved by adopting either a qualitative or quantitative approach. The objective is to link together the likelihood of occurrence and severity of harm.

Detectability of a hazard can be considered if applicable, however this needs to be considered carefully since simply being able to detect a problem doesn’t mitigate the associated risk. Furthermore, some methods of detection are not wholly accurate.

Risk evaluation

After analysis, the relative risks need to be evaluated. The framing question here is: ‘What is the risk?’ For risk evaluation this involves comparing the identified and analysed risk against given risk criteria.

When performing risk evaluation it is necessary consider the strength of evidence for three fundamental questions. These are:

What might go wrong?
What is the likelihood (probability) it will go wrong?
What are the consequences (severity)?

Answering these allows each hazard to be put into context.

Risk control

Risk control is about risk reduction. This focuses on mitigation, avoidance or elimination of quality risk. In carrying out this assessment it should be borne in mind there is no such thing as zero risk.

When brainstorming about actions, it is better to focus on reducing severity and probability. After this, detectability can be considered. This is a good option to detect a possible risk before a disaster happens. For example: Any change on trends, alarms before reaching a critical value, and so on.

Risk acceptance

Risk acceptance is about taking the decision to accept the residual risk, after control measures have been introduced. In order to make a decision on risk acceptance it is necessary to discuss the appropriate balance between benefits, risks, and resources.

When carrying this out, it is important to consider that risk acceptance is not:

Inappropriately interpreting data and information.
Hiding risks from management / competent authorities.

Ideally all stakeholders are involved in the risk acceptance process.

Risk communication

There is little value in completing a risk assessment if the outcome is not communicated. Risk communication should be the bi-directional sharing of information about risk and risk management between the decision makers and others. This should be done at any stage of the assessment process to increase transparency.

This communication could be:

Formal: For example using existing channels as specified in regulations or procedures,
Informal: Such as during a meeting.

Always remember to document the output and result of the risk assessment process appropriately.

Risk review

A risk assessment review process is necessary to re-examine the results of the risk process, taking into account new knowledge and experience. This review process should be implemented for planned and unplanned events as things could have changed impacting upon a business process.

Avatar photo
Written By

Dr. Tim Sandle is Digital Journal's Editor-at-Large for science news. Tim specializes in science, technology, environmental, business, and health journalism. He is additionally a practising microbiologist; and an author. He is also interested in history, politics and current affairs.

You may also like:


In March, prices rocketed to more than $10,000 a tonne in New York after a poor harvest in West Africa.


Medical team members evacuate a Muslim pilgrim, affected by the soarching heat, at the base of Mount Arafat, also known as Jabal al-Rahma or...

Tech & Science

It was also found that the relationship between genotype and phenotype is more different than the relationship between coffee and tea.


Asian markets extended last week’s poor run with more losses Monday, following on from another tepid lead from Wall Street.