Risk Assessment Does Not Have to be Scary and Frustrating
Was your first attempt at tackling risk management a frustrating exercise of late-night internet research that led to more questions than answers? A Google search for risk management returned over 1.4 billion results!
Did your second attempt result in an extensive list of possible risks? Was the list too large? Was there was no way to discern if any risk was more significant than another? And was it unclear who should be accountable to manage any of the risks?
You are not alone, these are common challenges. Read on to learn how we help our clients to solve these challenges and get value from their risk management endeavours.
The OTUS approach is to work with you to establish a shared understanding of answers to the following questions:
- What are you trying to achieve?
- What processes and activities must get done to achieve your objectives?
- What might prevent you from achieving your objectives?
- Which of the things that might prevent you from reaching your objectives are most significant?
- What should be done about the most important things that might prevent you from reaching your objectives?
To start the process, key members of an organization can usually expect to participate in individual interviews to explore questions similar to those above.
Following the interviews, we will identify the most significant risks that could impact your organization.
Wherever possible, we group the identified risks into three main categories as follows:
- Strategic risks – These are risks necessary to achieve your objectives. Strategic risks are not entirely undesirable because it is necessary to take risks to reach objectives. The objective should be to reduce the probability that these risks will actually materialize and to improve ability to manage or contain them should they occur.
- Operational risks – These are risks that arise within an organization from its operations. Examples include unauthorized access to facilitates, lack of back-ups of significant digital information, and absence of business continuity planning. Generally, the goal should be to eliminate or reduce the probability that such risks will manifest, to the extent possible.
- External risks – These are risks that are outside your organization and beyond your control. The objective should be to understand and plan to mitigate their impact to the extent possible.
We then typically conduct two half-day workshops with key organization members:
Workshop I – Coming to a Consensus.
- Verify that participants have a shared understanding of what we are aiming to achieve and why.
- Validate the information gathered through the interview process.
- Build consensus on the most significant risks that could impact the organization.
Workshop II – Prioritizing and Planning.
- Assess the most significant risks confirmed in Workshop I in terms of both likelihood and impact using the heat map illustrated below (fig. 1).
- For risks identified as being critical/higher risk, we will work with workshop participants to identify mitigation strategies.
Through the process and exercises described above, you will have participated in the development of:
- A list of the most significant risks ranked by probability of occurrence and potential impact, and categorized as strategic, operational or external.
- Potential strategies to mitigate the most significant risks that could impact your organization. It is important to periodically consider whether such strategies had the impact you expected.
You will have also equipped key members of your team with skills they can use to be risk managers in each of their own areas of your operations.
Looking ahead, it is important to keep your risk assessment current by regularly reviewing risks, especially when change happens in your organization.
Risk management is an important part of running your organization. A risk assessment will help you understand your most significant risks and identify what can be done to mitigate them. You will benefit by having the peace of mind that comes from having answers.