Risk Management - Assessing the Risk

We might not realise it but in our own way we each assess risk on a regular basis. All the time, every day. As we each consider risk differently, it is imperative from an organisational perspective to provide a Risk Management Framework which outlines a consistent approach aligned with ISO 31000. The Standard explains that risk assessment is ‘the overall process of risk identification, risk analysis and risk evaluation’. It adds that ‘risk assessment should be conducted systematically, iteratively and collaboratively, drawing on the knowledge and views of stakeholders. It should use the best available information, supplemented by further enquiry as necessary’.

Risk Identification

Risk Identification is all about finding, recognising and describing risks which may help or hinder you from achieving your objectives. An organisation can utilise a range of techniques for identifying uncertainties which may impact upon those objectives. In Council’s context, this could include community survey feedback, reviewing complaint statistics, or monitoring claims data.

Risk is defined as the effect of uncertainty on objectives. We tend to think of these as broad objectives towards larger goals but that doesn’t have to be the case. Maybe the objectives are grabbing milk from the shops, helping our children with their homework, or picking out a birthday present for our loved one. Although these are ordinary tasks, there is still risk involved. For example:

Now these risks would likely be common for most of us (it’s not just me, right?) but how we assess them and ultimately manage them can be extremely varied. Are we calling Woolies before we go to ensure they have milk, double-checking our banking app to make sure there are funds, and deliberately choosing a quiet time to visit the store? Or are we just winging it and turning up at the shops regardless, buying our milk (assuming they have it…) and getting out of there as soon as possible? Either way, we’ve identified the risks (whether we’ve done this consciously or not) and acted in accordance with what we feel appropriate in the circumstances (our personal risk appetite).

Risk Analysis

Having identified the risks, the next step of the risk assessment process is to analyse them. The purpose of this step is to consider the nature of those risks and comprehend the level of risk involved against our objective. Depending on the risk this can be a complex process, as a detailed consideration of the consequences and likelihood of the risk eventuating, and existing controls in place and their effectiveness, must be completed.

As outlined in a previous article, an organisations Risk Management Framework should include criteria to assist the risk assessment process, including guidance on how to consistently determine the likelihood, consequence, and overall level of risk involved.

Using the example objective of grabbing milk from the shops provided earlier, this could look like this:

By analysing the risks, we’re now able to make decisions on whether any further action is required.

Risk Evaluation

This step is all about supporting decision-making. Risk evaluation involves comparing the outcomes of the risk analysis with the risk criteria defined in your Risk Management Framework and determining whether additional action is required.

This could lead to a decision to consider risk treatment options (i.e. implementing strategies to reduce the level of risk to an acceptable level), undertaking additional analysis to better understand the risk, maintaining existing controls, reconsidering objectives, or simply doing nothing!

According to ISO 31000, these decisions ‘should take account of the wider context and the actual and perceived consequences to external and internal stakeholders’.

Going back to our example, here’s how the evaluation could look:

I will elaborate on risk treatment in a future article but for anyone wondering, my risk treatment strategy for the shop not having milk is generally to drive across town to the next supermarket and hope for the best!

Conclusion

Overall, risk assessments are a vital component of effective risk management, helping organisations safeguard their assets and ensure long-term sustainability. Clear criteria and guidance for consistent application of the risk assessment process is imperative for your Council.

For further support reviewing, developing and enhancing your Council’s risk assessment process, LGMS Member Council’s should contact their Regional Risk Coordinator. The RRC program is a key feature of your membership and our teams’ mission is to assist you with the development, implementation and review of your approach to enterprise risk management.