To help to develop effective and efficient business management systems risk assessments can be valuable, both as proactive tools to protect against future disruptions to business continuity, and as a reactive tool to address an issue that has arisen. The type of assessment undertaken should be proportionate to the risk, such as a smaller assessment might be needed when a supplier changes compared with recalling a product from the market. Invariably business continuity management and risk management are interconnected.
This article outlines some best practice steps for undertaking risk management within the business setting, drawn from the experience of the author.
There are different stages of risk assessment, which are outlined below (these are adapted from the International Conference on Harmonization).
Risk identification
Risk identification is ideally prefaced with the questions: ‘What might go wrong?’ To answer this fully requires the systematic use of information. This information is used to identify hazards (something that could cause harm), selecting the hazards according to the specific risk question or problem statement.
For hazard identification, this may include an assessment of historical data, the use of theoretical analysis, seeking informed opinions, and being mindful of the concerns of stakeholders.
Risk analysis
Following the collection of all applicable data, these data need to be sorted and analyzed. The pertinent question to have in mind at this stage is: ‘What is the likelihood it will go wrong?’
Risk analysis is the estimation of the risk associated with the identified hazards. This can be achieved by adopting either a qualitative or quantitative approach. The objective is to link together the likelihood of occurrence and severity of harm.
Detectability of a hazard can be considered if applicable, however this needs to be considered carefully since simply being able to detect a problem doesn’t mitigate the associated risk. Furthermore, some methods of detection are not wholly accurate.
Risk evaluation
After analysis, the relative risks need to be evaluated. The framing question here is: ‘What is the risk?’ For risk evaluation this involves comparing the identified and analysed risk against given risk criteria.
When performing risk evaluation it is necessary consider the strength of evidence for three fundamental questions. These are:
What might go wrong?
What is the likelihood (probability) it will go wrong?
What are the consequences (severity)?
Answering these allows each hazard to be put into context.
Risk control
Risk control is about risk reduction. This focuses on mitigation, avoidance or elimination of quality risk. In carrying out this assessment it should be borne in mind there is no such thing as zero risk.
When brainstorming about actions, it is better to focus on reducing severity and probability. After this, detectability can be considered. This is a good option to detect a possible risk before a disaster happens. For example: Any change on trends, alarms before reaching a critical value, and so on.
Risk acceptance
Risk acceptance is about taking the decision to accept the residual risk, after control measures have been introduced. In order to make a decision on risk acceptance it is necessary to discuss the appropriate balance between benefits, risks, and resources.
When carrying this out, it is important to consider that risk acceptance is not:
Inappropriately interpreting data and information.
Hiding risks from management / competent authorities.
Ideally all stakeholders are involved in the risk acceptance process.
Risk communication
There is little value in completing a risk assessment if the outcome is not communicated. Risk communication should be the bi-directional sharing of information about risk and risk management between the decision makers and others. This should be done at any stage of the assessment process to increase transparency.
This communication could be:
Formal: For example using existing channels as specified in regulations or procedures,
Informal: Such as during a meeting.
Always remember to document the output and result of the risk assessment process appropriately.
Risk review
A risk assessment review process is necessary to re-examine the results of the risk process, taking into account new knowledge and experience. This review process should be implemented for planned and unplanned events as things could have changed impacting upon a business process.
