Question 4: Risk Assessment?
Organization need to find the factors that are giving rise to risk to the goals of the organization.
Risk Assessment comprises of processes for:
- Identifying
- Analyzing and
- Evaluating risks.
Risk Identification:
Organization can use varieties of techniques for risk identification. These techniques can be used either in isolation or in combinations. Following techniques are available:
• Brain Storming: A group of people coming together and thinking on risk that can affect the organization.
• Interviews with process owners: Conducting a structured interview with process owners. This technique offer advantage of using the knowledge of person who is responsible for the operation and therefore is knowledgeable enough to offer insights.
• Questionnaire: A predefined structured questionnaire is designed and sent to process owners for responses. The responses received are tabulated and analyzed to understand the risk faced by the organization.
• Workshops: Gathering all stakeholders / process owners into a room, facilitating healthy discussions, generating ideas.
• Expert facilitation: Requesting help from industry peers who has gone through the similar phase
• Process Analysis: Analyzing all processes, gathering factors which is giving rise to risks
• Consultants: going to external consultants to run the entire show or help internal team.
• Scenario: considering various scenarios
• Simulations: Simulation of events
No single technique is better than others are. However, a judicious use of mixture of techniques can give better results.
In risk identification, organizations need to identify sources of risks, areas of impact, events and their causes and potential impact. A list of risk having an impact or chance to have an impact on the organization is created. Impact can be of positive or negative nature. i.e. risk need not be restricted to event that has negative impact, but risks, which can be beneficial to company, should also be listed.
(The coin of risk, can give Opportunity as well as Threat, when the same has been flipped.)
While doing risk identification it is important to keep our biases aside. All risk need to be identified:
1. Risk can be internal or external
2. Risk can be controlled or uncontrollable.
3. Risk of doing something and risk of not doing something.
Any risk, which is not identified, will not be analyzed. Risks identified will become foundation of Risk Register.
(I will discuss on risk analysis, which comes after risk identification. An organization has limited resources, which cannot be devoted to all the activities. A cost and benefit analysis need to be done before committing resources.)