In line with the ISO 31000 standards, a risk assessment methodology is part of the risk management process and uses a combination of:
- analysis, and
- evaluation techniques.
Source: Anttonen & Paakkonen, 2010
This is in both qualitative and quantitative approaches to characterise risks. As mentioned in the previous section, potential hazard identification, potential frequency and severity analysis, and risk evaluation/characterisation are the fundamental components of the risk assessment process to measure risks and opportunities, which ensure the inherent risks and incentives are well understood (Basel Committee on Banking Supervision, 2011).
Percentage of respondents in the manufacturing industry indicating dimensions of business and IT risk rated by risk assessment, 2015
Source: Deloitte, 2015
The analysis step of the risk assessment process is purely a scientific and technical process designed to allow you to assess the frequency and severity of an incident, while the evaluation stage combines the frequency and severity to generate a value or statement and present them in a visual form, such as risk matrices and heat maps.
Risk evaluation, in particular evaluation at high levels of decision-making, takes account of the wide range of interrelated factors, such as:
- public risk tolerance
- costs-and-benefits trade-offs, and
- socio-political and ethical factors.
Various root cause analysis techniques are part of the analysis and evaluation steps to identify causes and measure their effects and frequency of occurrence (SCRLC, 2011). Moreover, the frequency of the incident is the product of two probabilities:
- The probability of the hazard occurring.
- The probability of the relevant object being exposed to the hazard.
With the latter lacking, the incident becomes a near-miss; while with the lack of the former, the incident becomes an at-risk behaviour (Aven, 2016). When some risks are well known, risk assessment may start by assessing the effectiveness of risk controls for achieving a certain level of residual risk (Deloitte in 2015).
Risk and control self-assessment (RCSA) is a generic risk assessment process through which you examine operational risks and the effectiveness of controls. The objective is to provide reasonable assurance that all your business objectives will be met. In most cases, they take the form of structured questionnaires and/or moderated workshops and complementary interviews. Stakeholders identify and assess risks and controls in their respective areas of operations. Using scorecards, you will obtain qualitative evaluations in a self-assessment, which can be translated into quantitative parameters for assessing loss frequency and severity. This will enable you to rank the risks and identify the key risks. You can then present the risk portfolio as a risk heat map or matrix. A SWOT analysis is used to identify and present your company’s own strengths and weaknesses, as well as opportunities and threats.
You should review your risk assessment methods and outcomes periodically to take into account changes in workplace hazards, practices, and processes and regulations (among other factors) (Oesterreichische Nationalbank, 2006).
Some key transmission effects of risks in the space of OHSEQ
With the collaboration and integration of risk management in the enterprise-wide framework, the interrelationships between different types of risks can result in impacts that are quite different from when you consider risks in isolation. As illustrated in the chart above, the interrelationships of OHSEQ risks are expected to be assessed or measured from a risk portfolio perspective through, for example, correlation coefficients or a structured simulation model that incorporates the interrelationships at a particular point in time and over a period of time to factor in the dynamics between risk components (Young & Coleman, 2009).
In our next blog, we will continue with the overarching topic of risk assessment techniques.