IRM ERM M1U3.4 Risk analysis Flashcards
ISO 31000 (2018) The purpose of risk analysis
ISO 31000 (2018) states:
‘The purpose of risk analysis is to comprehend the nature of risk and its characteristics, including, where appropriate, the level of risk.’
risk analysis provides an input into risk evaluation, to decisions on whether risk needs to be treated and how.’
Chartered Institute of Internal Auditors (CIIA, 2005) - Risk analysis
‘The systematic use of available information to determine the likelihood of specified events occurring and the magnitude of their consequences, i.e. their impact.’
Orange Book:2020 and COSO:2017 - Risk analysis
Meanwhile the Orange Book:2020 and COSO:2017 place risk analysis within the broader subject of risk assessment. Risks are analysed to:
prioritise risks for treatment in terms of their significance.
achieve consistent perceptions of significance across the organisation.
inform decisions on how scarce resources are allocated.
inform decisions about whether to proceed with a new strategy, project, or investment, and so on.
To determine the importance of your risks, you could:
To determine the importance of your risks, you could:
look at past records.
look at personal relevant experience (and intuition).
look at industry-relevant experience of the risk.
look at published literature on the risk.
do some testing or experiments (for example, market research).
use economic or statistical models to make forecasts.
use experts in the area of that risk to make judgements.
To rate the importance of risks you could compare the risk’s:
To rate the importance of risks you could compare the risk’s:
Potential impact to your objectives
Potential likelihood of happening
Relative velocity
Relative vulnerability of different parts of the organisation the risks are linked to
Relative exposure of different parts of the organisation the risks are linked to
Proximity
The level of action or control needed to manage the risks to a desired (target) state
Relative difficulty of managing those risks
Relative influence of a single risk on other risks (dependency / cascade factor).
Risk prioritising techniques – impact. Qualitative, quantitative, scale
Impact can be measured using simple to complex approaches - from purely qualitative, descriptive levels of impact (low to high) to quantitative analytical data collection and analysis techniques, such as Value at Risk or Monte Carlo simulation.
However, most organisations take a composite approach, using the risk criteria, and measuring impacts against objective in qualitative scales from low to high, with some quantitative measures to provide consistency in the approach, so for example, the high financial impact might be greater than $1m while a low financial impact might be less than $1,000.
Risk prioritising techniques – opportunity Ex Reputation, Retention
When rating opportunities, the majority of the scales here can be considered from a positive perspective. For example, for reputation, instead of complaints the scale could be measured in compliments, for finance, it could be gain instead of loss, for staff it could improving retention and recruitment.
The point is, when opportunities have been identified, you can measure these in the same ways as threats, which embeds the identification, analysis and management of both the upside and downside risks with the same approach, rather than trying to introduce two different approaches.
Risk prioritising techniques – likelihood. Probably & Frequency
Likelihood is a term which tries to measure the chances of a specific event occurring. It captures the expected probability and frequency of an event:
Probability – Likelihood can be expressed numerically as value between 0 and 1 (or 0% and 100%) used as a probability measurement, such as: ‘There is a 2% chance of rain in the city of Jeddah on any one day during the next month.’ Probability is commonly used for risks that might only occur once in the timescale considered.
Frequency – Likelihood can also be expressed numerically as a frequency measurement, such as: ‘In just one day in 2005 Hurricane Katrina resulted in a one-in-a-hundred-year flood to New Orleans.’ This frequency measure could be converted to a probability measure as follows: the chances tomorrow of another Hurricane Katrina severity flood hitting New Orleans is 1 day × 365 days in a year × 100 years, or a 0.003% chance. Frequency is commonly used for risks that might occur more than once in the timescale considered.
Prioritising techniques – impact and likelihood. X&Y Placement . Simple vs Complex
It does not matter which axis impact or likelihood is placed; you will find that approximately 50% of organisations who use this prioritisation method have impact you the x-axis whereas the other 50% have it on the y-axis of the matrix,
Some organisations have separate matrices for opportunities opposed to threats, whereas others roll both together through ensuring the descriptions regarding the potential impacts of the risks can be both positive and negative.
Some organisations keep their risk matrices very simple with no gridlines and few metrics, whereas others make them more complicated, numbering all positionings on the grid and colouring in different cells different colours, aimed to induce a certain reaction.
Impact and action
One way to deal with the problem of analysing likelihood is to stop using it, or only use it as and when it is truly applicable and useful (for example, engineering risks). Instead, alternative scales can be used against impact, such as the amount of action needed to bring the risk to an ‘acceptable’ level.
This method is usually termed the ‘Impact versus action’ and is used because it:
avoids unnecessary debate on likelihood.
prioritises attention on the risks that require immediate focus.
prompts robust discussion and action regarding the extent to which risks truly need to be managed.
The use of the impact versus action map allows for risks that would traditionally be considered in the red zone, and therefore ‘unacceptable’ to be given the correct focus, whereas other risks that have a high impact on the business and need lots of action, can be highlighted. In this scenario, risks such as Covid 19 would be given greater attention, because they would be highlighted as ones which would have a significant impact on an organisation, but in most cases would need a lot of action to manage the risk to an acceptable level.
Risk Proximity - Covid vs Nuclear Project Example
The general definition of risk proximity is how close we are to a risk occurring, or how soon can a risk happen.
For example, if we are considering the ill health of a key member of staff, especially during the Covid pandemic, this could mean a close proximity,
whereas if you are considering certain project risks on the decommissioning of a nuclear power station, these might have a distant proximity.
Risk velocity
Another ‘timing’ term for risk is risk velocity. Risk velocity measures how fast a risk can impact an organisation once it occurs. Hopkin and Thompson also refer to risk velocity as the ‘timescale of risk impact.’
Risk clockspeed
Risk clockspeed
A further ‘timing’ term is the risk clockspeed. Risk clockspeed refers to the rate at which the information necessary to understand and manage a risk becomes available. There are two main classes of clockspeed:
Slow Clockspeed Risks are those where enough thinking time is available (‘Sufficient‟ is context related)
Fast Clockspeed Risks are at or close too real time
The Risk Clockspeed Window is the range between how well organisations can deal with Fast Clockspeed Risks and Slow Clockspeed Risks and still function effectively
A final note is that some organisations use the above terms interchangeably.
Levels of risk
Hopkin and Thompson note the levels of risk rating in chapter 1. The three main terms used by Hopkin and Thompson are:
Inherent – this is the level of risk before any controls have been put in place or actions taken to manage the risk and change the likelihood or impact. This is useful to understand the real exposure an organisation has to a risk should the controls fail. It also helps to identify when risks might be over or under controlled. This rating level is sometimes also called ‘raw,’ ‘gross’ or ‘total.’
Current – this is the level of risk, taking account of the current controls in place to manage it, working at their current effectiveness. This rating level is sometimes called ‘net’ or ‘residual.’
Target – this is the level of risk that is desired to bring the risk to an acceptable level. This rating level is often missed by organisations, but it is an important consideration in how much effort is needed to manage risks to an acceptable level.
Inherent rating is helpful when considering key or principal risks within an organisation. It is less useful when considering risks further within the organisation.
In summary the risk rating terminology comparisons are:
Inherent is usually the same as total, gross, raw, initial
Current is usually the same as net, some versions of residual
Target is closely linked to risk appetite.
More than one risk impact
Note that a risk can have more than one impact. Using the example above, consider the vehicle crashing into the works and damaging assets and personnel risk that the organisation maintaining the road network faces – remember that this is despite all the measures already in place to manage the risk. Looking at the impact should the risk occur, a reasonable rating could be:
Safety – High (one fatality)
Financial – Moderate ($100k to $1m)
Production – Minor (3hrs – 1-week lost time)
Reputation – Insignificant – (<50 negative comments in social media)
