Risk assessment: A critical component of risk management
How to rank risks by likelihood and impact
By Robert Higgins, CIC, CRM, CPCU, ARM, ARMp, FRM, CRIS
Every organization is continuously exposed to a myriad of both internal and external risks that may affect its operation or the fulfillment of its objectives. Identification, analysis, and evaluation of these risks are the only ways to understand and measure the impact of the risks involved and to decide on the appropriate measures and controls to manage them.
That is where risk management comes onto the scene. This process involves evaluation of the possible sources of risk in order for the organization to develop a comprehensive risk management plan to remedy or resolve these risk event possibilities. An essential element of this process is a formal risk assessment. As its name implies, the purpose of a risk assessment is to evaluate the various identified risks, the potential consequences that could stem from them, and their probability of occurring.
But not all risks are created equal. Risk management is not just about identifying risks; it is about learning to weigh various risks and make decisions about which ones deserve immediate attention. In ideal risk management, a prioritization process is followed where the risks with the greatest impact on the organization and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower impact are handled later. In practice, the process can be very difficult, and achieving the correct balance among risks poses a significant challenge. This is where risk assessment can be a valuable tool.
What is risk assessment?
Risk assessment is the term applied to the method of analyzing and evaluating risks associated with any asset, activity, function, or process. Risk assessment represents the second step in the risk management process and follows the first step of identification of all possible risk exposures faced by the organization.
Risk assessment allows for the systematic evaluation and prioritization of risks in terms of expected likelihood of occurrence and the potential consequence if and when the risk event occurs. Risk assessment not only allows for the identification, sourcing, and measurement of key business risks; it also positions an organization to master its risks and ultimately create value.
Risk assessment is an enterprise-wide collaborative process that attempts to answer the following questions:
• What assets need to be protected?
• Who/what are the threats and vulnerabilities?
• What are the implications if the assets are damaged or destroyed?
• What is the value of the assets to the organization?
• What can be done to minimize exposure to the loss or damage?
The benefits of risk assessment
Risk assessment supports the risk management process by providing the underlying analysis on which risk treatment decisions can be made. These assessments help organizations identify, define, measure, and prioritize critical business, financial, operational, and strategic risks and allow for the effective and efficient management of risk. As a result, organizations that undergo ongoing risk assessment can expect the following benefits:
• Thorough identification of the organization's risk sources
• Effective prioritization of the organization's key risks
• Assessment of the organization's current risk response strategies
• Increased awareness of risk management throughout the organization
• Embedding of a "risk management" culture into the organization
• A foundation for developing strategies and implementing solutions to key risks
How is risk assessed?
Once an organization has developed a comprehensive listing of its risks, the risks need to be sorted, ranked, or otherwise analyzed according to their likelihood of occurring and their impact on the organization.
Two methods can be used to determine the level of risk: (1) qualitative and (2) quantitative. If the information is available numerically, then a mathematical process may be used. Non-numerical information can be processed using the sample risk rating tables shown above.
The more commonly used approach tends to be qualitative. Managers often use experience, judgment, and intuition to make decisions, supported by whatever relevant information is available. However, the process should be carefully structured to use judgment consistently and in the best possible way, with explicit scales for likelihoods and consequences. The level of risk is determined from the relationship between consequence and likelihood, which is usually set out in a table. It is up to management, knowing their own risk criteria and organizational context, to define suitable risk rating scales for their circumstances.
Qualitative analysis of exposures and losses
Analysis of a risk exposure is easily accomplished through use of a systematic, qualitative method that assigns a numerical value to the risk exposure. This numerical value or "risk score" then enables the organization to prioritize the risks as to their overall risk level in relationship to others. Once the risks have been categorized and prioritized, attention can be given to identifying the appropriate risk control and risk financing technique(s) to manage the risk exposures.
During this analysis, risk exposures are analyzed by combining estimates of consequences and likelihood in the context of absolute risk, disregarding any risk controls, and then the residual risk level is scored with risk treatment(s) in place. The level of risk is determined by the relationship between the likelihood (frequency or probability) and the consequence (impact or magnitude of the effect) if the risk occurs.
Likelihood/consequence qualitative rating system
Tables 1 and 2 on page 12 and above present two examples of a numerical likelihood and consequence rating system that may be used to assign priorities to the frequency and severity of risk exposures. Table 1 addresses the financial impact of a risk and defines the consequences on a five-point scale that takes into account a risk's impact on:
• personnel safety
• public safety
• property damage/business interruption
• corporate image
• legal implications
Table 2 shows the expected likelihood of a risk occurring and defines the frequencies on a similar five-point scale. Together, the two tables allow for the qualitative ranking and prioritizing of a given risk exposure as to how often the risk event should occur and, when it does, what will be the financial impact on the organization.
Once the risks have been rated as to their overall risk level (expected likelihood and consequence), they can be graphed in a two-axis chart (risk matrix) to help visually identify the most critical items for risk response actions: those risks with both a high likelihood of occurring and a high impact if they were to occur. Risks are then positioned in the risk matrix quadrants based on their overall risk score (likelihood rating times consequence rating). An example of a risk matrix is shown above.
Finally, a risk assessment is also a continual process that should be reviewed regularly to ensure that the risk response mechanisms currently in place still meet the required objectives.
Guidelines for measuring the importance of a risk
The following six principles offer helpful guidelines for measuring the importance of a risk.
1. The importance of a risk usually depends much more on potential loss severity than on loss frequency. However, a severe loss can be the result of a large number of losses or a single large loss. The issue is whether the outcome can impair the organization's progress toward achieving its mission.
2. In determining potential loss severity, one must take into account the financial impact of all losses that could occur as the result of an incident. For example, a fire at an important regional office can damage property, injure employees, destroy important records, and require other regional offices to devote substantial resources to maintaining even minimal levels of service.
3. A single event may cause damage or injury to two or more persons, facilities, or pieces of equipment. Two office buildings located within a few blocks of each other may be damaged from a hurricane or flood. For an organization whose production facilities are integrated, the idling of one production facility may cause a ripple effect that shuts down other facilities.
4. Losses that occur outside the organization can still affect the organization (for example, a major fire to a key supplier's facilities results in that supplier being unable to supply needed parts or materials, thus causing production delays or reductions).
5. The ultimate financial impact of an incident may exceed the sum of the direct and indirect losses that are apparent prior to its occurrence. For example, financial distress and the downgrading of an organization's financial rating may follow major damage to a facility that is taken out of service for two months. The additional costs of new financing add to the loss arising from the damage to the facility and the consequential loss of business.
6. An assessment of loss severity takes into account the timing of loss as well as its amount. Budgeting for a $2 million loss is simpler if the loss is spread over several years as compared to the same loss that must be financed in a single quarter.
No matter its size, every organization needs to understand risk. Owners, directors, and managers who have a good practical knowledge of risk management are better able to take advantage of opportunities—and to protect their businesses from events that might otherwise cause them serious damage.
Robert Higgins is an executive vice president in the risk services department of Schiff, Kreidler-Shell, Inc., and has over 30 years' experience in insurance and risk management. He is a graduate of the University of Kentucky College of Business and Xavier University's MBA program. He can be reached at (513) 977-3100 or by e-mail at email@example.com. For more information on the Certified Risk Managers (CRM) program, go to: www.TheNationalAlliance.com