Following on from our previous blog, we’ll be drilling down into current risk methodologies. But first, let’s snapshot the overall landscape of these approaches to managing and minimising risk in the workplace.
Risk – and risk management – is no longer a separate line item
Risk is no longer just a silo of a business. You must now engrain risk management with your organisation’s daily activities. As we’ve stated previously, this is because risk eventually has an impact on your organisation’s:
- earnings
- capital, and
- reputation.
For example, occupational health, safety and environment, and quality (OHSEQ) risk management is expected to be driven by sustainability and integrated into operating activities, which will create long-term value for the organisation.
Source: Weitner & Hatler, 2014
You can manage risk through:
- avoidance/adaptation
- acceptance
- mitigation, or
(Kenett & Raanan, 2011)
Risk assessment frameworks provide the methodology to assess risks so you are able to select the appropriate control measures to minimise risks. This requires risk professionals to have a proper view of the enterprise-wide risk. Quantitative risk management frameworks use calculated algorithms to discretely and objectively identify the value of assets, threats, vulnerabilities, and confidence levels.
In comparison, qualitative risk management frameworks identify the same aspects, but are more subjective and provide a general indication of the significant areas of risk you need to address (Blokland, 2017).
The standards of risk assessment processes and methodologies
As you know, a risk assessment allows your enterprise to consider how potential events might affect the achievement of your business objectives, by reducing incidents and the associated costs to the residual level (in line with its risk appetite or tolerance thresholds). According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), you would ordinarily assess risk within two sets of parameters: probability and consequences.
A risk assessment identifies, analyses and evaluates the probability (likelihood or frequency) and consequences (impact, or severity) of risks across all functional areas of the organisation, which forms the foundation of an effective enterprise risk management programme. This is often mandated by regulatory requirements. Leading companies tend to standardise the processes of risk assessment, quantification and prioritisation (Paquin, 2014; Miccolis, 2003).
The international risk management standard, ISO 31000, is illustrated in the chart below. The latest 2017 draft version outlines a generic risk management process, with organisations expected to choose their own risk assessment process. While there exists a number of different risk analysis methodologies, it is best to start with a qualitative assessment, which is (relatively) easier to complete, if the organisation has not yet undertaken a risk assessment.
ISO 31000 Risk Management principles and guidelines: Draft International Standard,
February 2017
Source: ISO; Blokland, 2017
From an industry sector perspective, the research reviewed risk assessment methodologies and techniques used for managing:
- operational risks (people, process, information system and technology): Operational risks are rising due to new products and services, stringent regulatory compliance requirements, increased outsourcing needs, and new technology. According to PricewaterhouseCoopers (PwC), these and many other factors can significantly affect an organisation’s overall risk profile. The purpose of operational risk management (ORM) is to create a comprehensive standard framework, establish processes to effectively address the risk impacting on the operation of the enterprise, and to implement procedures or controls to minimise the possibility of risk (resulting from inadequate or failed internal processes and systems, human factors, or external events, such as legal risks (excluding strategic and reputational risks)). Operational risks are the internal risks of your organisation and often focus on health and safety issues, which may affect your organisation’s ability to deliver on its strategic objectives;
- strategic risks (economy, politics, competition and demography): Hazardous risks often result from major exogenous factors, which affect the environment where your organisation operates. The use of insurance and appropriate contingency planning will help you address some of the hazardous risks (Mohammed & Sykes, 2015);
- hazardous risks (e.g. OHSEQ legal and compliance regulations): Strategic risks present unique challenges to risk assessors, as they are difficult to evaluate but are the frontier of organisational risk management (Deloitte, 2015). Strategic risk management covers factors outside the control of organisations, which impact the implementation of certain risk management strategies. You cannot manage strategy risks through a rules-based control model for hazard and operational risk management, but rather through a risk management system that reduces the probability of the assumed risks, and to improve your organisation’s ability to contain the risk events (should they occur). Because organisations cannot prevent such events from occurring, their management must focus on identification and mitigation of their impact. Such a system would not stop organisations from undertaking risky activities but enable organisations to take on more higher-risk and higher-reward projects than competitors that have less effective risk management practice in place (Kaplan & Mikes, 2012).
These are three of the four main areas of enterprise risk management (ERM). The fourth is financial risk; all four have a financial impact on the organisation.
As an organisation, you should tailor your risk-management processes to align with the above-mentioned risk categories. While a compliance-based approach is effective for managing preventable risks, it is inadequate for strategy or external risks, which require open and explicit risk discussions. The challenge is that individuals have strong cognitive biases (motivational reasoning bias, confirmation bias, escalate commitment and groupthink), which hampers them from thinking about and discussing risk until it is too late (Kaplan & Mikes, 2012).
Due to the interdependency and correlation between risk categories, and among various risks within each category, a particular risk can belong to more than one category and be managed by more than one risk manager. Organisations also define risks differently, for example, some companies consider certain legal and hazardous risk as operational risks. Financial institutions generally use the categories of market, credit, and operational risk including hazard and other risks. Each organisation should select categories that align with its strategic objectives and processes and develop relevant risk assessment methods and management processes within the ERM framework, according to The Institutes.
Your organisation may deploy a standard system to manage all types of enterprise risk, such as the ISO 31000, which provides a framework to ensure consistent policies and procedures.
However, there is an expectation for a consistent approach or methodology, to manage a certain type of risk that is either event- or governance-driven. You should implement this methodology enterprise wide, which will require collaboration across your business units. According to The Institutes, it will improve your organisation’s ability to manage risk effectively.
There is no one-size-fit-all method for the assessment of risk, but many organisations rely on reasonable approximations based on past experience. Risk management processes naturally evolve and mature over time, but there are some fundamental principles that remain the same and effective risk assessment must be adaptable to, or uniquely designed for, specific dangers. Your organisation should group similar risks into similar analytical processes. Ideally, as a company, you should allocate capital (or insurance) based on risk, in conjunction with cost-and-benefit analyses. Every risk identification process should lead to effective analysis, which then informs your corporate governance (this is according to Investopedia (2015)). In the space of OHSEQ risk management, losses of injuries, illness or diseases can be measured in direct and indirect economic costs.
According to research on existing risk assessment and management standards applied worldwide (Louise & Dominic, 2017), there are 47 relevant standards in the energy-critical infrastructure space, the vast majority of which address risk analysis and evaluation through qualitative methodologies. Some companies have deployed quantitative methods, such as scenario analysis. Financial service companies, such as banks and insurance used mathematical formulae the most for risk assessment.